Research by the consumer group Which? found that online banking customers were at risk of fraud because of their banks’ cybersecurity practices.
In conjunction with the security firm 6point6 and a group of volunteers, Which? analyzed 15 banks and building societies’ online banking and mobile app banking platforms.
The consumer group rated the financial institutions on four areas namely encryption, login, account management, navigation and logout. Which? discovered “worrying security flaws” and revealed a big gap between best and worst performers. The firm advised banks to improve their customers’ online safety by adopting the latest security protections.
Multiple banks lag on online banking security
According to Which?, HSBC, NatWest and Barclays emerged the best in online banking, with a few areas of improvement. HSBC ranked the best because it was the only bank to achieve five stars in website encryption and account management.
TSB, Virgin Money and Metro Bank were among the lowest performers on online banking security. According to Which?, HSBC, Starling, NatWest, Santander, Co-operative, and Virgin Money, allow customers to use their name as password.
“These findings aren’t surprising. Positive Technologies research also shows that banks have a number of weak points in the security of customer accounts,” said Maxim Kostikov, Head of Banking Security at Positive Technologies. “And we see insufficient password policies, the inability for users to change their login username when needed, and lack of two-factor authentication for critical actions.”
TSB, Lloyds, Metro, Nationwide, Santander, and Co-operative Bank verify user logins via texts that could be intercepted by cybercriminals. Santander and Co-operative Bank informed Which? Money that they were moving away from these practices.
Nationwide, TSB, and Virgin Money lacked software capable of flagging spoofed messages sent by scammers to allow third-party email providers to block such emails. However, TSB said it had already introduced this protection, while Virgin Money claimed that it was in the process of doing so. Similarly, Nationwide clarified that it had “a range of email security controls” to protect its customers from spoofed messages.
Monzo does not ask users to log in every time and claims the design was deliberate to strike a balance between security and user experience, and the risk associated with remaining logged in was minimal.
Security flaws expose customers to potential fraud
“Banks must lead the battle against fraud, yet our security tests have revealed worrying flaws when it comes to keeping people safe from the threat of having their account compromised,” said Harry Ross, editor at Which?.
Which? noted that the online banking situation could allow scammers to obtain enough information to pull off convincing scams. These include fraudsters pretending to be bank employees and convincing customers to transfer money to their accounts.
However, the consumer group noted that the banks had behind-the-scenes security processes that they could not legally assess.
Rose added that while “online banking is largely safe” banks could do more to prioritize their users’ security.
“The serious failings we have exposed with some providers reinforce the need for banks to up their game on scam protections, and for greater transparency and stronger standards on fraud reimbursement to be made mandatory for all banks and payment providers.”
Oliver Pinson-Roxburgh, CEO of Defense.com, said that customers are more digitally savvy and want assurance that their banking partners prioritize their security.
“It’s frustrating, but not surprising, to see that so many banks are failing to deliver the highest security standards to their customers,” noted Pinson-Roxburgh. “Every access point in the business, internal or external, should be under constant scrutiny and meet rigorous security controls.”
Kostikov says users should remain safe online by monitoring their digital security. He advises them to have different SIM cards and different mailboxes for different needs, e.g., shopping, traveling, etc.
“If you use a separate phone number for the bank, a leak from another site will not affect your bank account. And get a virtual credit card for online payments or for PayPass and set a maximum limit for purchase costs. This way, attackers will not see your main payment card if data is leaked from stores you shopped at.”