A new Which? investigation has uncovered gaps in online banking security systems that could help criminals to scam customers, reinforcing why banks must do more to protect their customers and reimbursement of bank transfer scam victims must be made mandatory.
Which? conducted an investigation with independent security experts 6point6, scrutinising the online banking safety measures in place across the largest current account providers.
The investigation found that some of the biggest banks, such as Santander, Tesco Bank and TSB, have concerning vulnerabilities in security that could leave their customers exposed to fraud.
While online banking is a largely safe way to manage money and this is being enhanced by measures such as behavioural biometrics, where firms analyse the unique way you hold a device, to stop fraud, Which? is concerned that the issues exposed by its investigation highlight that banks could do more to prioritise security above all else.
In some of these instances, there is the potential for scammers to access information which could be used as the building blocks of a sophisticated scam – arming a fraudster with enough sensitive information to pull off convincing cons, such as posing as a bank employee to persuade a customer to transfer money from their bank account to a fraudulent one.
Many victims of these scams – which potentially have lax bank security measures at their heart – then face a double blow as some banks disregard the obligations to reimburse victims that they signed up to last year.
Tesco Bank received the poorest rating for online security in Which?’s testing, with an overall score of just 46%. Researchers found multiple security headers missing from its webpages. These are important as they protect against a range of cyberattacks, by telling your browser how to behave when it communicates with the website. It also failed to block testers from logging in to the website from two computer networks at the same time. In addition, it failed to log out testers when switching to a different website or using the forward/back button to leave the session and return to it.
TSB finished second from bottom with a score of 51%. Among the issues identified in Which? testing, the most serious was the firm’s login process, which did not meet new regulations on ‘strong customer authentication’ (SCA), introduced in March. When Which? reported TSB’s non-compliance to the Financial Conduct Authority (FCA), it was told that it doesn’t comment on specific firms and would not confirm how many firms have been granted an effective SCA extension in relation to online banking.
TSB told Which? in November 2020 that it is compliant with the regulation for all new customers and that SCA is being rolled out for existing online and mobile customers, but could not say when this will be completed. The forced upgrade has since been completed for mobile app users but is still being rolled out for online banking users.
TSB customers do at least enjoy some peace of mind due to the bank’s fraud refund guarantee, which ensures the vast majority of scam victims get their money back.
Santander rounded off the bottom three, with a score of 62%. Testing found that authentication checks when logging in can be bypassed if a user designates a device as ‘trusted’. While the firm said it does ask for reauthorisation if it detects unusual activity, there’s no option to view or ‘distrust’ these devices.
Several Banks Demonstrated Strong Security Measures
Starling came out on top, with a score of 85% Experts found nothing concerning with its recently launched online banking website. This is partly due to limited functionality, as users can only change sensitive data via the app.
Barclays, HSBC and First Direct tied for the second spot, with a score of 78%, but had areas for improvement.
Many of the banks included in Which?’s investigation are signed up to the industry code on bank transfer scams, which pledges to reimburse scam victims who are not at fault. However, the number of victims who get their money returned by banks is worryingly low, standing at around the 40% mark. Because firms apply the code inconsistently and are not required to publish their reimbursement rates, scam victims face a lottery when it comes to getting their money back.
Which? is calling for the voluntary bank transfer scams code to be overhauled so that stronger consumer protections and reimbursement for scam victims become mandatory for all banks and payment providers. The regulator should also be required to regularly publish reimbursement rates of individual banks so consumers can check on their account provider’s performance.
Harry Rose, Editor of Which? Magazine, said: “Banks must lead the battle against fraud, yet our security tests have revealed a big gap between the best and worst providers when it comes to keeping people safe from the threat of having their account compromised.
“The serious failings we have exposed with some providers reinforce the need for banks to up their game on scam protections, and for greater transparency and stronger standards on fraud reimbursement to be made mandatory for all banks and payment providers.”