Otdfbt

There is a story currently on the BBC news website. The relevant points are:

1. Scammers called Alex pretending to be BT (telecommunications provider).


2. Alex provided scammers with information / help


3. Scammers made payments that emptied account of £180,000 within 24 hours


4. Payments labelled eg. "Bill Payment Via Faster Payment to Radu Reference Web Inv 793, Mandate No 127 £2,500.00 £34,617.11"


5. Bank initially refused responsibility, citing gross negligence


6. Financial Ombudsman Service found in favor of Alex

What information / help would a scammer need to make these payments?

I feel that if the answer is "everything you usually use to get into your account and make payments" then the claim by the bank of gross negligence by Alex is justifiable. If the answer is anything else I would really like to know.

From the link in Vicky's answer, the fraudsters needed access to the victim's computer (or for the victims to transfer the money, or general access to the victim's account) and for the victim to read off the one-time passwords they were asking for. This was a social scam, not a technical scam.

On the other hand, it seems like they were targeting the Santander bank for a reason, and that reason appears to be low-quality fraud prevention.

• There's an expectation that the bank will be watching for unusual transactions, and these should have been unusual transactions. In many cases, these were not marked as such.


• Even when they were marked as unusual transactions, Santander was not diligent about contacting the customer, and defaulted to letting the transaction go through.


• Santander was asking the customer for one-time passwords without also including the context. This allowed the scammers to pretend the transfer was for a different purpose.


• Some of the victims insist that they never got the one-time password messages, but the transfer went through anyway. This might indicate that the scammers were able to change the phone number associated with the account without creating an alert. (To be clear, the victims could instead be lying; this is a somewhat embarrassing crime, and it's natural to disclaim responsibility. Still, this is a suspicious detail.)

In the end, the bank has the time and knowledge needed to keep on top of the latest scams; their customers do not.

Well, they (presumably deliberately) haven't published the details of the methods the scammers used, so none of us can say. The BBC story is very light on details but it does say that she was the victim of a "sophisticated con" and that she was "tricked into handing over sensitive security details".

All that really matters is that the Financial Ombudsman, who did have details of what happened, has taken Alex's side and so the bank has to pay Alex back for the losses.

[Edit: with some further googling there are quite a lot more details here: https://www.thisismoney.co.uk/money/beatthescammers/article-4358442/Santander-fraud-victims-tell-anguish.html including that the Financial Ombudsman Service found significant weaknesses in Santander's security systems and also found that they did not take action to prevent or even check the very unusual pattern of withdrawals, which a reasonable person might consider that they should.]
This question really feels equivalent to "this newspaper says that person X was arrested on charges of murdering person Y, but person X was acquitted at trial. What would you need to murder a person because if it really is just as simple as hitting them with a hammer then I can't see why person X would have been acquitted". Fundamentally: without all the details, we can't possibly judge.

In a comment, you clarified your question as,

What is the set of information that must be secured to prevent scammers clearing your bank account?

The good news is, banks have evolved security and fraud protection as they've added services. Since the focus of your question seems to be around scams that rely on access via online banking, the typical features are:

Two factor authentication, just to log in, with some degree of "intelligence:" You may only need your username and password to log in, but the online banking system will challenge you for a second factor before it actually logs you in, if your access attempt fails certain tests. Often, the bank is using a scoring system that evaluates a series of factors and decides what to do. Besides requiring a second factor, banking systems will also sometimes lock someone's online access if there is enough suspicious behavior:

• Failed username/password attempts


• Logging in from a device you've never used before


• Logging in from a browser you've never used before


• Logging in from a browser on a mobile phone, when your mobile phone login history typically comes from the bank's own app


• Logging in from a zipcode, state, or country that you've never logged in from before


• Logging in at a different time of day than is normal (i.e. all your history is during daylight hours and suddenly there's an attempt at 2 AM in your timezone).


• You've reinstalled the online banking app since the last time you logged in


• You've recently installed the online banking app on another device and attempted to log in, but were stopped because the password was bad

A different type of multi-factor validation, when suspicious activity happens, once you're actually logged in. Most banking systems will also actively challenge a customer who tries to make unusual transactions. For instance, the customer may be challenged to enter a PIN that's sent to their phone via text if they're adding a new bill pay account, if they're making a bill payment or external transfer over a certain threshold, or even if they're transferring more than $1000 between their own accounts.

Passive notification of suspicious activity: Many banking systems will passively notify customers when certain transactions happen, even if all of the above challenges are passed and the transaction completes - this is designed to at least notify the customer if someone has "broken in" to their account or it has otherwise been compromised. Often, these notifications are designed to use different channels than the multi-factor challenges, so for instance if a large transfer requires a PIN sent to a cell phone, the notification will be made via email or an automated call to a different number on record for the customer.

There are also cases where banks implement passive notifications via actual mail - for instance, if you change your online banking password, you receive a letter in the mail notifying you that you did this. This is designed as a last-ditch notification to help people who have had their entire digital identity compromised unknowingly (i.e. if someone knows how to access your phone and has access to your online banking app and your texts).

To address another point you made in comments,

If the answer is "your username and password" then I am safe, but would not seem to be much of a sophisticated con

In a sense, you're kind of right - a scammer may theoretically be able to gain access only with your username and password but there's a gray area in terms of if they'll actually be able to log in, or what they may be able to get away with once they have logged in. The "sophisticated" part comes into play in the sense of tricking the mark into bypassing or ignoring all of the above controls - the con will have to talk the mark into giving them the PINs that are sent to their phone, or even calling the bank and unlocking their account if their online banking access gets locked out because of failed login attempts.

Which is the whole reason why most banks implement active fraud prevention by bank staff: probably the most common way that a social engineering attack is stopped is by bank staff actively monitoring for suspicious activity and then taking action to protect the customer. Besides watching for members hitting or failing the above triggers, there may be other things the bank is actively monitoring - often based on behavioral triggers (someone doing something they don't normally do), quality triggers (someone has check images show up that are on the verge of failing verification), or time boxes (someone creates a new online banking account and immediately tries to withdraw all their money via transfer). Sometimes staff will take corrective action by putting a hold on the account or specific transactions, shutting down online banking access, calling the member, or other methods to prevent fraud.

Banks will purposefully try to hide the details of their own fraud prevention tools from the public, to prevent cons from focusing on their weaknesses. If a bank has a sufficient set of tools that are not well understood by the public, then in order to be successful, a con will need to truly secure the full confidence of their mark, versus just trying to weasel specific pieces of information out of them. Once a mark has been tricked, none of the above factors will prevent loss.

To bring this all full circle to your original question,

What information / help would a scammer need to make these payments?

The answer is, it depends on the bank, but typically they would need your username and password, along with full access to information that is intended to be confidential between you and the bank (i.e. PINs sent to your phone via text, phone calls, emails, etc) in order to defeat typical fraud controls. In other words, if the bank is doing a good job at fraud prevention, there isn't a predefined list of things the scammer needs - the scammer needs to trick you into helping them evade whatever measures their activities trigger.