Online banking customers face worrying fraud risks, according to Which?
The consumer group urged providers to “up their game” by using the latest protections for their websites and not allowing customers to set insecure passwords.
It conducted a survey with security experts 6point6, testing the security of online and mobile applications from 15 major current account providers on a range of criteria, including encryption and protection, login, management and navigation of the account.
Six banks – HSBC, NatWest Santander, Starling, the Co-operative Bank and Virgin Money – allow people to choose passwords that include their first and/or last name, according to the research.
Santander said which one? this is being phased out, while NatWest and Virgin Money said it may now increase password limitations.
The TSB, Lloyds, Metro, Nationwide Santander and Co-operative Bank also used SMS to verify people when logging in, leaving messages at risk of being hacked by cybercriminals. noted.
Santander and the Co-operative Bank said which one? they were trying to get away from it.
Which? also claimed that Nationwide, TSB and Virgin Money do not use software to ensure that fake messages sent by potential scammers are blocked or quarantined by someone’s email provider.
The TSB said which one? it has since introduced this protection. Virgin Money said it was doing so. Nationwide said it has “a range of email security controls” to protect members.
HSBC came out on top for online banking security, earning five stars for website encryption and account management. First Direct, a division of HSBC UK, was ranked first for mobile app security.
Metro Bank was ranked last for online security, while Monzo was ranked last by Which? for mobile application security.
Which? Monzo said it’s not asking people to log in every time, with the bank saying it was a “conscious design decision to balance risk and customer experience.”
A Monzo spokesperson said: “We strongly disagree with this assessment. Since every sensitive action or payment requires a customer to provide additional authentication in the form of a PIN or biometrics, the risk associated with staying logged into the Monzo app is extremely low.
“We take security extremely seriously and focus on the policies and practices that we believe are the most secure for Monzo customers.”
Metro Bank said: “Like all financial institutions, we must remain vigilant to protect our systems and security.
“In addition, we work collectively with other banks to help guard against fraud. We take the security of our customers very seriously and have implemented a range of protections across all channels to help defend against fraud.
“In addition to visible controls, we have background controls that support our customer journeys and provide invisible protection. We are continually evaluating and developing our controls to prevent fraud.
Which? said the criteria reviewed included encryption and protection, logging in, account management, and browsing.
He said that every bank and building society has security processes behind the scenes and that is not possible for whom? to legally test them.
Jenny Ross, which one? The publisher of Money, said: “Banks must lead the battle against fraud, but our security tests have revealed worrying flaws when it comes to protecting people against the threat of having their account compromised.
“Our research reinforces the need for banks to up their game in the fight against fraud by using the latest protections for their websites and not allowing customers to set insecure passwords. banks stop sending sensitive data to customers via SMS, as this could leave the door open to fraudsters.
The banks have stressed that security is a top priority.
The TSB said it has several security features that aren’t captured in the results and pointed to its fraud money-back guarantee.
Virgin Money said: “The safety and security of our banking services is our top priority and we continually monitor, assess and improve our security controls.”
Co-operative Bank said it is continually reviewing controls to maintain the security of banking operations.
HSBC Group said: “We are deploying advanced cybersecurity controls and identifying and responding to threats in a timely manner.
Lloyds Banking Group said: “We have robust, multi-layered security across online and mobile banking to protect against cybersecurity threats. We employ world-class experts in the field of cybersecurity.
Nationwide said, “We employ round-the-clock defenses to monitor our systems and look for suspicious activity.”
NatWest Group said: “We continue to invest in our digital security capabilities, leveraging market-leading technologies – for example, multi-factor authentication and our work on biometrics – to deliver simple and secure banking services. to our customers.”
Santander said it continues to “invest a lot to ensure the safety of our customers”.
Starling Bank said it has integrated security technology into its app and systems “to provide customers with an easy-to-use, secure and seamless experience.”