Millions of pounds were swiped from Barclays accounts in a series of coordinated cyberattacks by a fraudster using a Monzo account and a payments initiation service provider (PISP), The Telegraph reported.
PISPs are a newer concept, introduced by the revised European Payment Services Directive (PSD2), and give retail customers the ability to pay companies directly from their bank account instead of using a debit or credit card.
“There is nothing new or different about a fraudster’s approach to these cases that are specific to using a PISP,” a Barclays spokesperson said, per the report. “It is the same type of social engineering to convince victims to share passcodes/Pinsentry codes as is done to defraud customers through traditional channels. We regularly warn customers to never give out their Pinsentry codes, passcodes or any passwords to prevent this type of fraud from happening.”
The cyberattack comes on the heels of an antitrust probe into Monzo by the Financial Conduct Authority (FCA). Monzo, a London challenger bank, is accused of being in violation of financial crime controls and anti-money laundering (AML) mandates.
A cyberattack involving a PISP happened in May, according to meeting minutes from the Open Banking Implementation Entity (Obie), The Telegraph reported. Monzo did not appear to be involved.
In that case, the victim clicked on a text message link to verify a payment and was taken to a phishing website that mirrored the victim’s bank. The cyberthief then swiped the victim’s login credentials, set up an account, and used the PISP to initiate payment requests, according to the report.
That attack prompted the Obie steering group to discuss the possibility that open banking payments were more exploitable because of the varying methods used for fraud prevention and detection along the payment journey.