The Kingdom Bank is facing serious scrutiny following a major security breach that allowed an unauthorized party to bypass two-factor authentication (2FA) and withdraw over EUR 93,000 in cryptocurrency from a client account.
The affected party, a regulated trading firm, reports that despite Google Authenticator being enabled on their Kingdom Bank account, critical actions such as password resets, user role changes, and cryptocurrency transfers were carried out without any 2FA verification prompts.
The breach reportedly began when a third party compromised the email account associated with the firm’s Kingdom Bank login. Using this access, the intruder reset the password, logged in, added a new user with administrator privileges, and initiated irreversible crypto transfers—all without requiring a Google Authenticator code.
“It was shocking to discover that Kingdom Bank’s advertised 2FA was not enforced for high-risk actions like credential changes or fund withdrawals,” said a representative from the trading firm. “This allowed full account takeover without the security protections we believed were in place.”
Delayed Response and Denial of Responsibility
The firm states that the breach was reported immediately via Kingdom Bank’s live chat system late Wednesday evening. Despite providing documentation and urgent follow-ups through multiple emails, no substantive action was taken until Friday evening, when the bank’s legal department issued a formal response.
The letter from The Kingdom Bank denied any responsibility, citing the external email compromise and the fact that the breach occurred outside normal business hours. The letter concluded:
“Kindly be advised that this constitutes our final decision in this matter. It has been reached after due consideration, and no further claims, appeals, or correspondence will be entertained.”
Investigation Reveals Security Oversight
In the aftermath, the client conducted its own investigation, confirming that even after the breach, actions such as changing the login email or adding a new user still did not require 2FA codes. These findings raise significant concerns about The Kingdom Bank’s authentication architecture.
Although The Kingdom Bank advertises enhanced security features, the firm warns that marketing claims do not match actual enforcement, leaving users exposed to irreversible losses—particularly in blockchain-based transactions where no reversals are possible.
Call for Transparency and Reform
The incident underscores the importance of full-spectrum 2FA enforcement for all sensitive account functions, including:
- Password and credential resets
- Adding or modifying users
- Transferring crypto or fiat funds
The trading firm is now urging other Kingdom Bank clients and digital finance users to review their platform’s security implementation, especially for accounts involving cryptocurrency. They recommend selecting providers operating in regulated jurisdictions (e.g., EU, UK, or USA), where customer protections are clearly defined.
“This was not just a technical breach—it was a failure of basic security design and response protocol,” the firm emphasized. “Financial institutions must ensure their systems align with what they advertise.”
About The Kingdom Bank Breach
The Kingdom Bank has not issued any public statement acknowledging a flaw in its security systems. The client affected by the breach continues to advocate for tighter industry standards and greater accountability from digital banking and crypto service providers.
