Millions of pounds were stolen from Barclays accounts in a series of coordinated cyberattacks by a fraudster with a Monzo account and a payment initiation service provider (PISP), The Telegraph reported.
PISPs are a newer concept introduced by the revised European Payment Services Directive (PSD2) that allow retail customers to pay businesses directly from their bank account instead of using a debit or credit card.
“There is nothing new or different about a fraudster’s approach to these cases that are specific to the use of a PISP,” a Barclays spokesman said, according to the report. “Convincing victims to share passcodes / pinsentry codes is the same kind of social engineering that is used to cheat customers through traditional channels. We regularly warn customers not to give out their Pinsentry codes, passcodes or passwords to prevent this type of fraud. “
The cyber attack follows an antitrust investigation of Monzo by the Financial Conduct Authority (FCA). Monzo, a London challenger bank, is charged with violating financial crime controls and anti-money laundering (AML) regulations.
Continue reading: Monzo faces FCA investigation into suspected AML violations
According to a minutes of the Open Banking Implementation Entity (Obie) meeting, a cyberattack involving a PISP occurred in May, The Telegraph reported. Monzo didn’t seem to be involved.
In this case, the victim clicked a text message link to confirm a payment and was redirected to a phishing website that mirrored the victim’s bank. The cyber thief then stole the victim’s credentials, set up an account and used the PISP to initiate payment requests, the report said.
This attack prompted the Obie steering group to discuss the possibility that open banking payments could be better exploited due to the different methods for fraud prevention and detection along the payment path.
Also read: PSPs leverage Open Banking APIs for speed, compliance, and insights