Barclays' customers have lost £50 million. The main thing they did wrong was to trust the bank

The media is obsessed with the problem of scammers. Fraud is the main story on the news today. The BBC headline: “Barclays account takeover: Scammers steal £50m from customers.” The Times: “Barclays hacked: scammers steal £50 million.”<br><br>From the BBC:<br><br>>“Customers who’ve lost thousands of pounds to scammers who hijacked their bank accounts have been told by Barclays that they won’t get their money back.<br><br>>More than 50 Barclays customers have been stung for a total of £50 million in the latest scamming scandal of its kind.<br><br>>Victims are now furious at the bank’s stance - even though the scammers were able to take control of their accounts.”<br><br><br>And from The Times:<br><br>>“Barclays is refusing to reimburse customers who have lost millions of pounds to scammers who hijacked their accounts in a recent wave of hacking attacks.<br><br>>More than 50 account holders have collectively lost £50 million after what is understood to have been a phishing attack that caused Barclays to send confirmation codes to “rogue devices” that had been registered to the thieves.<br><br>>Barclays has written to affected customers to say that the scammers were able to deceive the bank into doing what they wanted.”<br><br>What these headlines don’t cover is how the attack was carried out. According to The Times:<br><br>>“The attack is understood to have used a “man in the middle” or “SIM swap” attack, where fraudsters intercept Barclays’ two-factor authentication texts and register the target’s phone number on new devices.<br><br>>Barclays was fooled into sending the scammers a verification code that would allow them to empty the target’s account, after the scammer convinced Barclays they were the genuine account owner attempting to do a transfer.”<br><br>>— The Times<br><br>The Times continues:<br><br>>“Fraudsters register target account holders’ numbers with new devices by claiming they had gone through a process called a “SIM swap” where they claimed to have changed phone networks.<br><br>>Two-factor authentication relied on mobile phone companies sending a code to a user’s phone that had to be entered for a transfer to go through.<br><br>>The scammer tricked the account holder’s mobile phone provider into sending the new device a verification code to the target’s phone. Barclays was then tricked into thinking the target was the one making the transfer.”<br><br>That’s not a scam, that’s a network breach. <br><br>We live in a world where if you register your phone with a bank to receive two-factor authentication, they’ll send you the code. And if a scammer registers your number with a new device, to which, of course, they have access, they can get your code. <br><br>Nothing is more critical to protecting you from fraud than two-factor authentication. <br><br>And with two-factor authentication, you have to trust the phone networks and the banks, because you have no way of verifying that the code you get is the same as the code they sent. They might send a code with a scammer's register on it, or a scammer might convince them to register his device as your own phone number. Is a scammers code that the bank accepted good enough for you to approve a transaction? <br><br>Phone numbers being tied to accounts is exactly how the bank is able to track you. Do you have a problem with your bank being able to track you? Then you have to do something about your phone information. <br><br>The issue here is that Barclays did not protect it's customers. They should have done more to protect the account owners. The banks are as complicit as the phone providers in perpetuating this scam. <br><br>Paying by phone is becoming a norm, just the same as banking by phone or computer. There's no way to pursue a better way of authenticating without addressing this issue.