Fraudulent transactions with a payment app linked to new phone number

The client lodged his complaint with the Swiss Banking Ombudsman after four fraudulent transactions totaling CHF 200 were made using a payment app. These payments were made after access to the payment app had been linked with a new telephone number. The bank refused to refund this amount on the grounds that confidential data which were exclusively within the client’s sphere of responsibility had to be used to link the payment app to a new number. The client disputed this view on the grounds that there had been no notification and enhanced security measures when adding the new number. The Swiss Banking Ombudsman examined whether the level of security applied by the bank was appropriate and proportional, and invited the institution to clarify its practice as well as consider an amicable solution taking into account the alleged security deficiencies. The bank agreed to compensate its client with CHF 100. It has also committed to reviewing its practice regarding payment functionalities.

The client had been using the bank’s electronic banking services and his account-linked payment app for several years. Following several unauthorised transactions he had noticed that his payment function was associated with a new telephone number. The debits concerned purchases from a trader on the internet and amounted to CHF 200 in total.

The client requested full reimbursement [AB1] . He stated that he had never shared or disclosed his e-banking identification data. He assumed that his user ID and password had been stolen from him without his knowledge, probably during a connection to a public wi-fi network. The client mainly accused the bank of two security flaws: first, he had received no email or text message and/or telephone call informing him that a second payment function of the same kind had been added to his banking profile. Secondly and most importantly no two-factor authentication was required to secure this sensitive operation. The client argued that a simple confirmation through his existing payment app on his mobile phone would have been sufficient to prevent this fraud. He also mentioned that a bank employee had confirmed to him during his visit at the counter that improvements would be made to the security system to prevent this kind of fraud from happening again.

The bank rejected the claim for repayment andexplained that linking the payment app to a new telephone number required entering the correct e-banking ID and corresponding password. According to the bank, these matters were exclusively within the control of the client and therefore the bank could not be held liable for their misuse. It concluded that there was nosecurity system failure.

The Swiss Banking Ombudsman examined both sides’ arguments. He asked the bank for further clarification, particularly regarding the level of security applied when linking a new telephone number to existing payment functionality. In his discussions with the bank, the Swiss Banking Ombudsman noted that it was surprising that multi-factor authentication is required for initial activation of the payment app but only single factor authentication is sufficient to change the associated telephone number. The bank explained that to make the payment function quickly available it was immediately available as soon as the client’s ID and password were entered but limited to CHF 200. An additional level of security was required only if use of the payment app exceeded CHF 200. According to the bank, the fraud that had been committed against its client was due to the fact that identification elements which were in the client’s possession having been disclosed to third parties. The security measures taken by the bank had limited the damage to CHF 200.

After various exchanges by letter and telephone, the bank agreed to make a commercial gesture of CHF 100, i.e., refunding half of the amount claimed to its client. The client accepted this amicable offer.

The Swiss Banking Ombudsman recommended that the bank systematically introduce two-factor authentication for all changes to telephone numbers linked with payment functionality, to prevent similar situations from recurring.