ORX News digest of the month – September 2019
- 3 October 2019
Every month the ORX News team publishes a featured digest from the ORX News Service. It's a detailed look at one of the losses reported in the media that month, and is handpicked by the team as one of the most interesting stories.
ING Bank to pay customers compensation over QR code fraud via mobile banking accounts
ING Bank said it would compensate retail customers in the Netherlands after fraudsters exploited a QR code function in the bank’s mobile app to steal funds. They did this by using a customer’s account number to generate a QR code and link a second device to the customer’s mobile banking account.
The fraudsters obtained customers’ account numbers under the pretence of paying for goods posted for sale by the victims on online marketplaces. Using the account numbers, the fraudsters generated QR codes using ING’s app to represent that the customers had installed the app on a second device. The fraudsters then sent the QR codes to customers, claiming that scanning the code would confirm payment. In fact, by scanning the QR codes, customers unknowingly activated ING’s mobile banking app on the fraudsters’ devices, giving them access to their accounts. The perpetrators defrauded some ING customers of thousands of euros in this way.
ING initially said that it would not compensate customers as they were responsible for the linking of third-party devices to their own accounts. However, in September the bank said it would provide a “considerable amount” of compensation as a goodwill gesture.
A report by consumer television programme Kassa said that ING’s QR code system was vulnerable, as compared to other banks’ systems it required fewer steps to link a device. The bank said it would implement additional measures to increase its customers’ security.
ORX News subscribers can read the full story on the ORX News website.