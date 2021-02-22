According to Fiva, criminals also seek to take advantage of people’s carelessness in accepting confirmation messages.

Financial Supervision (Fiva) Office Manager Markku Koponen says that people should be very vigilant when banking and payment transactions are confirmed on mobile devices.

Current banking and payment applications often use a confirmation message sent by the user to another device to accept payments and transactions.

However, there is a vulnerability associated with it. HS reported on Friday a case where a Nordea customer ended up in a stranger’s mobile bank. When Nordea clarified the matter, it turned out that there were two human errors behind it.

Customer had typed his username a little wrong so that it was the username of that guest.

The system sent a login confirmation message to the vent guest, which he inadvertently accepted because he was himself in charge of banking matters at the same time. As a result, all the account guest’s account, card and billing information was visible to another customer.

However, it would not have been possible to make the transfer without a new confirmation message.

“When these confirmations are made must be very careful about what is being confirmed. If it is a payment, you should look at the amount and where the payment is going, ”says Koponen.

According to Koponen, criminals who first phish people’s bank IDs, for example by e-mail, try in the same way to get people to accept confirmation messages sent from account transfers.

Nordea said on Friday that it would report to Fiva and that the bank is investigating how to prevent a recurrence.

“Friday’s situation would seem to have been a very unlikely but possible event. That does not change the fact that this should not happen. Banks are required to report cases to us. They need to investigate the matter and report on what caused the incident and how it can be prevented from happening again, ”says Koponen.

Banks authentication systems have a wide range of backups, so criminals shouldn’t get very far, for example, by experimenting with a sum of different usernames for banks ’mobile apps.

According to Koponen, systems typically lock themselves if they try to log in more than once with the wrong credentials. Larger payments often need to be confirmed with more tiered authentication than small payments.

“I don’t even remember the same thing that even happened once before. There was one case where a disruption in online banking resulted in a person being able to see another person’s account information, ”he says.

What about who is responsible if, for example, criminals receive money transferred in such a way that the customer has himself accepted the payment?

According to Koponen, liability issues are resolved on a case-by-case basis under the Payment Services Act, depending on whether the customer is considered to have acted negligently.

“But of course it’s very human when a person does many things at once that such mistakes can happen.”