What went wrong to allow Google Pay fraud?

For months now, I’ve been telling banks that codes sent via text message are insecure and a bad choice.

Google Pay and Apple Pay are a goldmine for criminals. Stolen card details are used to activate these payment methods on a criminal’s own device.

They then steal the verification code sent to your phone (by tricking you into revealing it, or using technology to intercept the text). The entire balance of a debit or credit card can be syphoned.

Banks have become the enablers of fraud by persisting in the use of text-based codes.

Many questions surround the Ashburton case of Sandra and Brian Quinn, who are being held liable by ANZ for losses.

1. What happened to the code? Codes can be intercepted. Banks appear to be in denial that fraud has gone beyond tricking a customer into revealing a code. SIM-jacking, SIM-cloning and malware are methods a criminal can use to take over your phone and divert the text.

2. Why do banks use text to deliver a code? The security industry has been united in telling banks text is an insecure choice. It’s widely regarded as a commercial decision. It saves the cost of the call centre completing the set-up of Google Pay and Apple Pay, or designing in-app verification. It’s easy and instant, so more people sign up.

3. How did the criminal get away with taking $12,985 using a phone? This isn’t Paywave, with a limit. Once Google Pay is set up, a card no longer needs its pin number. The security of the phone is relied on by banks. A criminal’s own face, finger or phone pin open their device and allow any size transaction. The code ANZ sent is a high-risk moment in time. It approves the device itself and if intercepted, puts the full account balance or credit card limit at risk.

4. What did the criminals buy at Australia Post? ANZ say they don’t know and haven’t investigated. I think the answer is obvious and it wasn’t stamps. Criminals usually target gift cards. Australia Post has a Mastercard product with a maximum limit of $500. The transactions look to be a currency translation of A$500.

5. Why didn’t ANZ’s security system pick up abnormal, fast spending in another country? There was no evidence the Quinns were in Melbourne. Not a single beer purchased on Lygon Street. Instead, genuine transactions in New Zealand continued. The location mismatch went entirely unnoticed. If ANZ’s security isn’t connected to Google Pay or Apple Pay transactions, it’s another goldmine for criminals. We need reassurance from all banks on this.

6. Can I block Google Pay or Apple Pay from being loaded? To my knowledge, no. If your bank has your mobile number, anyone can be targeted. That’s why it’s crucial to ring your bank immediately if you get a code you didn’t trigger yourself. But if your phone isn’t an extension of your arm, you probably won’t be quick enough. Blocking should be an option.

7. Shouldn’t Visa’s Zero Liability Policy cover this fraud? Visa won’t pay, because the correct code was used to set-up Google Pay. The transactions are considered authorised.

Delivering the code via text is a security risk ANZ decided to take. Neither Visa nor the banks clearly explain losses arising from code-theft will be pinned on customers.

8. Why would a bank allow Google Pay to be authorised, when a customer uses Apple Pay? It’s possible to have multiple devices and link them to the same debit or credit card. They can be Apple or Android. It would be good practice in terms of fraud detection to double check when a conflicting device is loaded, or when the request arises offshore. ANZ knew this was a Motorola phone in Australia and should review its practices.

9. Why doesn’t ANZ send the phone for a forensic check? It would be wise to. ANZ is careful when it says it “believes” Sandra Quinn gave the code to a fraudster. Given what’s at stake for the Quinns, they deserve to have all possibilities investigated, rather than being slapped with the most common allegation of phishing.

10. Why do banks offer partial settlements with non-disclosure clauses? There is the pretence they don’t want to reveal security issues to criminals. But every part of the Quinns’ case is already known to the criminal world. ANZ would have a tough time enforcing confidentiality.

How can Google Pay and Apple Pay fraud be solved? Simple; stop sending Google Pay and Apple Pay set-up codes via text.

The function could move in-app or into the bank’s call centre. If banks wish to continue using text, it would be fair to take the liability. Criminals do not target people; they target the holes in our bank’s security choices.

Readers should always seek specific independent financial advice appropriate to their own circumstances.