As mobile banking apps continue to accrue a seemingly ever-growing user base, criminals may sense an opportunity to access people’s finances by exploiting weaknesses in some banks’ security, consumer champions Which? has found.
In its latest bank security investigation, researches tested banking website and app security across four key criteria – login procedures, security best practice, account management and navigation and logout, which were amalgamated to give a total score and revealed a variety of concerns. They were not able to test banks’ back-end security systems.
Banking trade body UK Finance recently revealed that losses from mobile banking fraud ‘increased by 17 per cent to £18.7million in the first six months of 2023’ – the biggest recorded increase since it began collecting data on this fraud type in 2015.
While Which? found that all firms use multilayered security to reduce the likelihood of major security breaches, it believes some banks are falling short of the high standards that customers should expect.
TSB scored 54 per cent for mobile app security and 67 per cent for online security – the lowest and second-lowest scores, respectively. The firm was the only one to score just two stars for online account management, and just two stars for security best practice for its app.
The most serious problem the security best practice tests discovered was a ‘medium-risk’ issue on the TSB app. Which? believes it improperly handles sensitive data, meaning it can be read by other apps running on the phone. The app stores users’ credentials in a way which makes it easier for other apps to access them.
TSB told Which? that the matter was under review and a fix would be ‘considered in the future’.
The bank also sent a phone number in an SMS alert, which could be replicated by scammers. TSB explained it has removed phone numbers from the vast majority of SMS alerts, and this alert is the final one in its plan to update them to remove the numbers.
Security let downs
Which? also uncovered problems with The Co-operative Bank’s security measures. The bank came bottom of the online security table, with a score of just 61 per cent, and received three stars for both account management and navigation.
Regarding mobile app security, The Co-operative Bank emerged second-last, with a score of 57 per cent. The firm was the only bank to fail to require a two-factor authentication login on a test laptop. The bank also fails to block customers from setting weak passwords.
Researchers were able to log in from two different IP addresses at the same time without the older session being terminated, and, like TSB, there were still phone numbers in alerts and security codes sent via SMS. The bank said that messages for high-risk changes to your account, such as a resetting of login details, were being reviewed, along with its ‘authentication strategy to move to app authentication and reduce the reliance on SMS’.
Lloyds was the only bank that failed to log out website users after five minutes of inactivity, despite this being a regulatory requirement. The bank told Which? that this makes things easier for vulnerable customers.
Sam Richardson, deputy editor of Which? Money, commented: “While our investigation found no major security issues, there were some areas of concern that we think the banks in question need to urgently address, so that sophisticated scammers can’t use loopholes to target innocent victims.
“With fraudsters still relentless in their pursuit of our money and a General Election looming, the next government must make fighting fraud a national priority, with a Fraud Minister installed to work across multiple government departments.”
Not all doom and gloom
At the top of the pile for online security were Starling and NatWest/RBS, with both posting an impressive total score of 87 per cent. While both firms scored four stars for login security online, they both posted a full five stars for security best practices, account management and navigation.
The best-performing bank for mobile app security was HSBC, with a total score of 78 per cent. HSBC posted solid scores for both its app and website, and unlike many of its high street rivals, it does not rely on SMS for login, and researchers found no issues with logout or navigation.
While Barclays finished second in the mobile app rankings, with a highly respectable total score of 74 per cent, it is still yet to fix the website management issues Which? identified last year, such as letting users access accounts from multiple browsers, IP addresses or devices at the same time which could be flagged as a potential attack by cybercriminals, despite claiming these would be addressed in early 2023.
Recognising that the next general election is fast approaching, the consumer champion is calling on the next government to appoint a dedicated Fraud Minister and make fighting fraud a national priority. It explained that this minister must use their authority to work across multiple government departments, and with industry, to lead a clear strategy to stop organised crime online and focus on fraud as a fundamental part of the UK’s wider crime strategy.
