‘Worrying security flaws’ may expose online banking customers to fraud – Which?

Online banking customers being left exposed to some worrying fraud risks, according to Which? (Picture posed by a model/Yui Mok/PA) (PA Archive)

Online banking customers are being left exposed to some worrying fraud risks, according to Which?

The consumer group urged providers to “up their game” by using the latest protections for their websites and not allowing customers to set unsecure passwords.

It conducted an investigation with security experts 6point6, testing the online and mobile app security of 15 major current account providers on a range of criteria, including encryption and protection, login, and account management and navigation.

Six banks – HSBC, NatWest Santander, Starling, the Co-operative Bank and Virgin Money – let people choose passwords that include their first name and/or surname, the research found.

Santander told Which? this is being phased out, while NatWest and Virgin Money said it might now increase password limitations.

TSB, Lloyds, Metro, Nationwide Santander and the Co-operative Bank also used texts to verify people when logging in, leaving messages at risk of being hijacked by cybercriminals, Which? said.

Santander and the Co-operative Bank told Which? they were looking to move away from this.

Our security tests have revealed worrying flaws when it comes to keeping people safe from the threat of having their account compromised

Jenny Ross, Which?

Which? also claimed Nationwide, TSB and Virgin Money were not using software that ensures spoof messages sent by potential scammers are blocked or quarantined by someone’s email provider.

TSB told Which? it has since introduced this protection. Virgin Money said it was in the process of doing this. Nationwide said it has “a range of email security controls” to protect members.

HSBC came out most favourably for online banking security, scoring five stars for website encryption and account management. First Direct which is a division of HSBC UK, was ranked top for mobile app security.

Metro Bank was placed bottom for online security, while Monzo was ranked bottom by Which? for mobile app security.

We strongly disagree with this assessment

Monzo spokesman

Which? said Monzo does not ask people to log in every time, with the bank saying this was a “conscious design decision to strike a balance between risk and customer experience”.

A Monzo spokesman said: “We strongly disagree with this assessment. Given every sensitive action or payment requires a customer to provide extra authentication in the form of a Pin or biometrics, the risk associated with remaining logged into the Monzo app is extremely low.

“We take security incredibly seriously and focus on policies and practices that we consider to be safest for Monzo customers.”

Metro Bank said: “Like all financial institutions, we need to remain vigilant to protect our systems and security.

“In addition, we work with other banks collectively to help guard against fraud. We take our customers’ security extremely seriously and have a range of safeguards in place across all channels to help defend them against fraud.

“As well as the controls which are visible, we have controls in the background which support our customer journeys and provide invisible protection. We are continually evaluating and evolving our controls to prevent fraud.”

Which? said the criteria it looked at included encryption and protection, login, account management, and navigation.

It said every bank and building society has behind-the-scenes security processes and it is not possible for Which? to test these legally.

We employ world-class experts in the cyber-security field

Lloyds Banking Group

Jenny Ross, Which? Money editor, said: “Banks must lead the battle against fraud, yet our security tests have revealed worrying flaws when it comes to keeping people safe from the threat of having their account compromised.

“Our research reinforces the need for banks to up their game on tackling fraud by using the latest protections for their websites and not allowing customers to set insecure passwords. We also want banks to stop sending sensitive data to customers via SMS texts as this could leave the door open to fraudsters.”

Banks emphasised that security is a top priority.

TSB said it has several security features which are not captured in the results and highlighted its fraud refund guarantee.

Virgin Money said: “The safety and security of our banking services is our top priority and we are continually monitoring, assessing and improving our security controls.”

Co-operative Bank said it continually reviews controls to maintain secure banking.

HSBC Group said: “We deploy advanced cybersecurity controls and identify and respond to threats in a timely manner.”

Lloyds Banking Group said: “We have robust, multi-layered security across online and mobile banking services to protect against cyber security threats. We employ world-class experts in the cyber-security field.”

Nationwide said: “We employ round-the-clock defences to monitor our systems and look out for suspicious activity.”

NatWest Group said: “We continue to invest in our digital security capabilities, leveraging market leading technologies – for example, multi-factor authentication and our work on biometrics – to deliver simple and secure banking services for our customers.”

Santander said it continues to “invest a great deal in keeping our customers safe”.

Starling Bank said it has built security technology into its app and systems “to give customers an easy to use, secure, seamless experience”.