Popular apps like Venmo, Zelle, and Cash App aren’t doing enough to protect consumers from fraud that occurs when unauthorized users gain access to unlocked devices, Manhattan District Attorney Alvin Bragg warned.
“Thousands or even tens of thousands can be drained from financial accounts in a matter of seconds with just a few taps,” Bragg said in letters to app makers. “Without additional protections, customers’ financial and physical safety is being put at risk.”
According to Bragg, his office and the New York Police Department have been increasingly prosecuting crimes where phones are commandeered by bad actors to quickly steal large amounts of money through financial apps.
This can happen to unwitting victims when fraudsters ask “to use an individual’s smartphone for personal use” or to transfer funds to initiate a donation for a specific cause. Or “in the most disturbing cases,” Bragg said, “offenders have violently assaulted or drugged victims, and either compelled them to provide a password for a device or used biometric ID to open the victim’s phone before transferring money once the individual is incapacitated.”
But prosecuting crimes alone won’t solve this problem, Bragg suggested. Prevention is necessary. That’s why the DA is requesting meetings with executives managing widely used financial apps to discuss “commonsense” security measures that Bragg said can be taken to “combat this growing concern.”
Bragg appears particularly interested in Apple’s recently developed “Stolen Device Protection,” which he said is “making it harder for perpetrators to use a phone’s passcode to steal funds when the user’s phone is not at home or at work.
Apple just rolled out “Stolen Device Protection” for iOS 17.3. On its website, Apple explained that when “Stolen Device Protection” is enabled, “some features and actions have additional security requirements when your iPhone is away from familiar locations such as home or work.”
For users taking advantage of this enhanced security layer, biometric or FaceID would be required to access devices, with no option to bypass with a passcode. This alone could help deter crimes that Bragg described, potentially stopping thieves from rifling through someone’s passwords to get instant access to a cash app. “Stolen Device Protection” also sets up a security delay that could stop thieves from immediately changing the account password and locking an owner out of their device. To change a password in this more secure mode, thieves would need to wait one hour—perhaps giving time for the owner to report that the phone is stolen or missing—and then must provide a biometric or FaceID.
Bragg wants financial apps like Zelle or Venmo to follow Apple’s lead and build similar safeguards. He suggested that Apple’s release makes it clear that the technology exists where apps could detect when a user is attempting to send a large transaction from an unknown location and perhaps block or delay sending that transaction for up to a day without secondary verification. This could afford victims more time to discover and cancel fraudulent transfers before they go through, instead of after the theft, when it’s usually harder to claw back funds.
This problem goes well beyond Manhattan, Bragg wrote, pointing to “similar thefts and robberies” that have been “publicly reported” in major cities like Los Angeles and Orlando, as well as in West Virginia, Louisiana, Illinois, Kansas, Tennessee, Virginia, and “elsewhere across the United States.”
Overall, the DA traced a pattern showing that the more people were using financial apps, the more fraud claims spiked, “tripling between 2020 and 2022” and “costing consumers hundreds of millions of dollars each year.”
“While cash apps, like Cash App, offer consumers an easy and fast method to transfer funds, they also have made these platforms a favorite of fraudsters because consumers have no option to cancel transactions, even moments after authorizing them,” Bragg wrote to Cash App CEO Brian Grassadonia. I am concerned about the troubling rise in illegal behavior that has developed because of insufficient security measures connected with your software and business policy decisions.
While building tech like Apple’s “Stolen Device Protection” seems to be the most extreme step that Bragg recommended, he also pushed “commonsense solutions” that he claimed that financial apps currently overlook. These include steps like requiring multifactor authentication to help keep thieves locked out and lowering limits on daily transfers to make the scam less appealing to thieves looking for a big payday.