Flaws in online banking security systems could expose customers to fraud, according to Which?
A Consumer Champion study found that some banks don’t use the latest protections for their websites and allow users to set insecure passwords.
Which? conducted a survey with independent security experts 6point6, testing the security of online and mobile applications of the top 15 current account providers. It looked at a range of criteria, including encryption and protection, logging in, managing and browsing accounts.
Metro Bank, Virgin Money and TSB received the lowest scores for online security in Which?’s tests, at 53%, 56% and 59% respectively.
A Monzo spokesperson said: “We strongly disagree with this assessment. Since every sensitive action or payment requires a customer to provide additional authentication in the form of a PIN or biometrics, the risk associated with staying logged into the Monzo app is extremely low. We take security extremely seriously and focus on the policies and practices that we believe are the most secure for Monzo customers.
Banks must now carry out additional checks to verify the identity of customers because passwords can be easily guessed or stolen, but which ones? found security vulnerabilities in several banks during the login process.
Triodos Bank allows customers to set insecure security words, such as ‘password’, ‘1234567’ and ‘admin’. The risk is mitigated by two-factor authentication at login, but which one? says there is no excuse for a bank to allow such weak credentials.
HSBC, NatWest, Santander, Starling, The Co-operative Bank and Virgin Money all allow customers to choose passwords that include their first and/or last name.
Santander said which one? this is being phased out, while NatWest and Virgin Money said they may increase password limits after investigation.
Which? identified potential weaknesses in subdomains of the Metro Bank website that could allow hackers to compromise the server.
A Metro Bank spokesperson said: “We take the security of our customers very seriously and have implemented a range of safeguards across all channels to help them defend against fraud. In addition to visible controls, we have background controls that support our customer journeys and provide invisible protection. We continually evaluate and develop our controls to prevent fraud.
Testers found similar issues with First Direct and Lloyds. First Direct patched the vulnerability as soon as Which? reported it, and Lloyds said its subdomain was being decommissioned and “poses no security risk.”
Which? Also found that Nationwide, TSB and Virgin Money have not used software that ensures fraudulent messages sent by potential scammers are blocked or quarantined by your email provider.
The TSB said which one? it has since introduced this protection. Virgin Money said this was in the works. Nationwide said it operates “a range of email security controls” to protect members.
HSBC comes out on top for online banking security, with a score of 81%. It was the only bank to get five stars for website encryption and account management. It has been rated A+ for encryption strength as it supports the latest encryption standards.
Which? also asked 6point6 to test each provider’s banking application to identify potential flaws. Monzo was the lowest-rated app she tested and the only provider that doesn’t ask users to log in every time. He said it was a “conscious design decision to strike a balance between risk and customer experience”.
Which? calls on banks to redouble their efforts to improve online security in order to offer high levels of protection to customers.
If a fraudster breaches your bank’s defenses and you lose money as a result, you have a legal right to a refund from your bank – unless they can show you were ‘grossly negligent’ .
Jenny Ross, which one? money editor, said: “Banks must lead the battle against fraud, but our security tests have revealed worrying flaws when it comes to protecting people from the threat of having their account compromised.
“Our research reinforces the need for banks to up their game in the fight against fraud by using the latest protections for their websites and not allowing customers to set insecure passwords. banks stop sending sensitive data to customers via SMS, as this could leave the door open to fraudsters.