Some of the biggest banks are guilty of putting customers at an increased risk of fraud, Which? research has found. Basic security flaws appear to exist on some of the biggest banking websites and apps.
Which? tested customer-facing security systems of 13 current account providers from September to November 2022. The research was also supported by independent security experts at Red Maple Technologies. Banks were scored across four key categories: login, navigation and logout, account management and encryption. All banks were scored separately for their online banking security and app security.
Virgin Money received the lowest total scores for both online (52 per cent) and app (54 per cent) banking. Meanwhile, the Which? research saw Starling Bank emerge with the top score for online banking security (82 per cent).
Banking websites and apps were marked down for not adequately blocking weak passwords, sending one-time passcodes or other sensitive information via text messages, and failing to log customers out after five minutes of inactivity.
Points were also lost for allowing access to accounts from multiple web browsers or IP addresses at the same time, without flagging this as a potential cyber attack.
Sending customers notifications that included a phone number or web link also saw points deducted. This offence enables scammers to replicate emails and texts to trick users into handing over personal information.
Virgin Money found lacking in security
Virgin Money’s poorest scores for online banking were given for its navigation and logout and account management categories; gaining only two stars out of five for both. It also scored just two stars for the encryption on its app.
Red Maple Technologies found six outdated Virgin Money web applications containing potential vulnerabilities. The bank noted minor vulnerabilities on three and said these will be corrected.
Virgin Money also did not adequately block insecure passwords and remove phone numbers from notifications. The bank also did not use security checks when paying someone new, changing email addresses or editing payee details.
Which? also found issues with website session management, though the bank said it plans to improve this in early 2023, following Which?’s tests.
TSB another offender
TSB saw similar concerns regarding security. The bank scored 57 per cent for its app and 66 per cent for online banking.
Basic security questions including ‘name your favourite food’ were still found to be used to recover login details. TSB also failed to block insecure passwords and only requires six characters. Which? suggested that all banks should encourage much longer passwords.
Red Maple Technologies found a potentially vulnerable subdomain, which TSB said will be removed in 2023, and two outdated web applications.
TSB also lost points for using SMS-based security, not sending alerts when sensitive account changes were made and including phone numbers in new-payee notifications. TSB said it is reviewing alerts and password complexity as part of its digital strategy. The bank told Which? that it has now removed phone numbers from all SMS alerts but one. The remaining alert is due to be removed in February.
Sam Richardson, deputy editor at Which? Money, said: “Banks should not be leaving these open doors for scammers to exploit and must up their game to protect their customers properly.
“By making improvements, such as blocking weak passwords, banks can take an important step in preventing unscrupulous fraudsters from attempting to steal money and personal data from consumers.”
Starling Bank and HSBC performed well
Starling Bank’s online banking security received the highest score; while its app came close with 80 per cent. The challenger bank scored five stars in almost every category.
Which? research on online banking security carried out last year saw HSBC receive the highest score. The UK bank had similar success in the most recent report; scoring 80 per cent for online banking. HSBC also received the highest banking app score with 82 per cent.
‘As threats evolve, security processes need to develop too’
Fergal Parkinson, director of mobile identity company TMT Analysis, discussed the findings: “Many banks and other financial institutions remain susceptible to practices such as ‘simswapping’. This is an increasingly common technique adopted by fraudsters where they intercept authentication text messages. Banks should not be relying just on basic two-factor authentication; sending passwords to a device in order to log in to keep customer details secure. Ensuring that devices are linked to a specific person is a much more secure approach which dramatically reduces risk to both customers and retailers.
“Of course, banks will have stringent anti-fraud measures in place but as threats evolve, security processes need to develop too. A highly effective approach is integrating mobile number verification technology, which more accurately verifies user identities through their mobile account details, is a cost-effective and simple step that simultaneously fights fraud, protects consumers and helps meet regulatory standards.
“This approach allows banks to boost consumer protection by performing enhanced KYC checks during the onboarding or sign-up process by analysing the mobile number and ensuring it matches with the personal information provided by a customer. It also clarifies whether the device itself has been used previously. Other security approaches can perform ongoing checks in the background too so banks know that devices haven’t been compromised and avoid the need for easily intercepted one-time passwords (OTP) which significantly reduces the risk of fraud.”