Which? warns flawed banking security features may be putting consumers at risk of digital wallet fraud

The use of easily-compromised one time passcodes (OTPs) by some banks may be leaving consumers at increased risk of digital wallet fraud on apps including Apple Pay and Google Wallet, Which? has found.

Unlike contactless cards, there is no £100 spending cap on cards added to digital wallets, making them an attractive target for fraudsters, who can carry out the crime remotely and quickly drain their victim's account once they have hijacked it.

While this can occur as part of a wider account takeover, more often scammers trick people into divulging their card details by setting up a phony transaction. Commonly, people will think they're paying for a bargain product advertised online, or they may fall victim to a phishing message. Parcel delivery scams, where you're asked to pay a nominal amount for re-delivery, are a common example.

Scammers monitor the transaction in real time, inputting the victim's card details into a digital wallet on their own phone. Many banks will then ask for an OTP to verify the cardholder, which the scammer then asks the scam victim for to complete the ‘transaction'. They're then set up and ready to spend.

There have been warnings about how OTPs can be exploited for years. In February, Cifas joined with UK Finance and the Cyber Defence Alliance to sound the alarm about the link between OTP use and digital wallet fraud. Which? has also penalised banks for using SMS to deliver sensitive data in its banking security tests. 

Despite these repeated warnings, when Which? surveyed 15 banks and card providers about their digital wallet setup process between April and May this year, it found the majority still use SMS OTPs as one of the options for adding cards to a digital wallet. Of the 14 providers that allow cards to be added to wallets (Capital One is the exception), just two banks confirmed they do not use OTPs, while a third appeared not to when Which? researchers tested the process. 

Barclays, Co-op, HSBC (with its sister banks First Direct and M&S Bank), Santander and Virgin Money said they currently use SMS OTPs, though they usually were not the only verification option. Starling said it does still use OTPs for setting up Apple Pay alongside other options, but it removed them from Google Pay in 2022. TSB said it is working to set up in-app verification, but is using OTPs in the interim.

Three providers - American Express, Lloyds Banking Group and NewDay (which operates the John Lewis Partnership Credit Card) - did not outline exactly which verification methods they use. 

Which? was able to test the setup processes for cards issued by Halifax (part of Lloyds Banking Group) and American Express (Amex). Amex did use SMS and email OTPs; Halifax did not, instead offering several more robust methods including in-app approval.

Digital banks Chase and Monzo differed significantly from the norm, telling which? they don't use OTPs for setting up digital wallets - and that they have never done so.

For extra security, providers can also limit how many wallets a card can be added to overall, or within a certain time period. However, when Which? surveyed them on this, most said they do not implement these restrictions.

Banks that do impose limits include Virgin Money, where an individual card could be added to a maximum of five devices; Starling with a total limit of 15 devices, and Monzo customers can only add their Monzo cards to a digital wallet twice in a 24-hour period and three times every 30 days. Yet even with limits in place, there is arguably still leeway for fraudsters, because they need only add one card to a digital wallet to start spending.

Which? believes that in many cases card providers are missing opportunities to strengthen security and move away from outmoded forms of security like OTPs - but the survey did throw up examples of innovation that could well add an extra line of defence for consumers.

Chase for example said that every time a card is added to a digital wallet via any method outside of in-app verification, customers will receive an app notification to ensure the request is genuine, and other banks flagged that they send email or letter notifications. Which? believes that in-app notifications should be more widely rolled out across the industry. 

Meanwhile, Starling told Which? its customers have the ability to freeze all their Starling-issued cards in mobile wallets using its app, and customers can also create virtual cards in just a few taps when they are unsure if a payee can be trusted. These virtual cards can then be deleted after a single use, ensuring a fraudster can't make any further use of the credentials.

Sam Richardson, Deputy Editor of Which? Money, said:

“For millions of us, digital wallets are a quick, easy and secure way to make payments, but weaknesses in card providers' security means they can also be a gift to scammers.

“Banks have known for years that using one time passcodes (OTPs) to verify account holders is leaving consumers vulnerable. It's clear further investment is needed to make the digital wallet set-up process fit for the threats consumers face in 2025.

“In the meantime, we'd caution shoppers to always think twice before sharing their payment details - or OTPs - online. If you think you've been a victim of a scam, contact Action Fraud and your bank immediately.”

-ENDS-

Notes to editors:

• Which? surveyed 15 banks/card issuers between April and May 2025 about their use of OTPs for approving new cards being added to digital wallets.
  
  

• Which?'s advice on how to avoid the biggest banking security threats can be found here and research on the best banks for dealing with fraud can be found here.

Rights of reply:

Apple told Which? it is not responsible for approving or rejecting the addition of a card to Apple Pay, or for approving or rejecting transactions. It said that it takes users' security seriously and Apple Pay has been designed in a way to protect users' personal information. 

An American Express spokesperson said: “Privacy and security are a priority for American Express. We have controls designed to protect customer accounts and guard against unauthorised fraudulent activity, and if we identify activity that may be fraud, we will take protective actions.” 

Barclays told Which? that the verification method used for adding a card to a digital wallet will depend on the user journey. It said it does not currently have plans to phase out use of OTPs.

Capital One told Which? it does not allow cards to be added to digital wallets.

Co-Op Bank told Which? it monitors for fraudulent registrations through its fraud detection systems and has multiple strategies in place to detect digital wallet fraud. It does not currently have plans to phase out use of OTPs.

A Google spokesperson said: “Security is core to the Google Wallet experience and we work closely with card issuers to prevent fraud. For example, banks notify customers when their card has been added to a new digital wallet, and we provide signals to help issuers detect fraudulent behaviour so they can decide whether to approve added cards.” 
HSBC told Which? it has no immediate plans to phase out OTP delivery for adding cards to digital wallets, however, it keeps its digital wallet provisioning process under review.

Lloyds told Which? it has invested millions of pounds in multi-layered fraud defences, and continues to regularly review its authentication methods.

Nationwide told Which? that it has multiple layers of protection in place to keep its customers safe from fraud including warning messaging, AI models and sophisticated internal analytics. It is currently exploring alternatives to OTPs.

Natwest told Which? it regularly reviews its customer experience and authentication to ensure security, and said it is reviewing how it uses OTPs.

NewDay declined to comment. Santander told Which? that it is looking at other forms of authentication, and other security measures, which may be less visible to a user than the mechanism used for two-factor authentication.

Starling told Which? that it currently only uses OTPs for Apple Pay, and removed this option from Android phones in 2022. TSB told Which? that it is working closely with card and wallet providers to implement approval via the TSB Mobile App. In the interim, OTP verification is accompanied by the necessary risk verification, alongside fraud controls to keep customer details safe.

A UK Finance spokesperson said: “We have seen an increase in criminals using social engineering tactics to trick people into divulging their one-time passcodes, which are then used to authorise fraudulent online card transactions. The banking industry is alive to these risks and works harder than any other sector to prevent fraud. Customers are reimbursed in almost all cases of unauthorised fraud and in 2024 alone, £1.45 billion of unauthorised fraud was stopped by the industry. 

“We encourage customers to be alert to potential threats of fraud, be cautious of sharing personal and financial information and avoid sharing OTPs with requests out of the blue. If consumers think they've been scammed, it's important to contact their bank immediately and report it to Action Fraud.” 

Virgin Money told Which? that its fraud team has heightened monitoring and controls around digital wallet fraud. It also said that it is looking at in-app verification as an option but has no current plans to phase out use of OTPs.