Banks putting customers ‘at risk of fraud’ with outdated online security

Banks are putting customers at risk of fraud by sending security codes via text, a study has found.

In an investigation into 13 current account providers, Which? found that many sent a one-time passcode by SMS even though the consumer group said this was the least secure way to authenticate customers because criminals were increasingly intercepting such texts.

Instead, the group awarded top marks to banks that asked customers to use a card-reader or their mobile banking app to login every time.

It identified the vulnerability as one of a series of security flaws on the websites and apps of some of the biggest banks, which it said were putting consumers at increased risk of falling victim to fraud.

Insecure passwords, lax checks on new payees and vulnerable login processes were among the weaknesses found by the consumer group.

Fraud costs £85 million in six months

It follows reports of 29,102 frauds in remote banking worth nearly £85 million to UK Finance, the industry body, in the first half of 2022.

For the research, Which? tested customer-facing security systems of 13 current account providers from September to November 2022, with help from independent security experts at Red Maple Technologies.

The banks were scored across four key categories – login, navigation and logout, account management and encryption – for both their online banking security and app security.

Among other issues, banks were marked down for not adequately blocking weak passwords, sending one-time passcodes or other sensitive information via text messages, which is the least secure approach, and failing to log customers out after five minutes of inactivity.

For logins – which include checks on password and passcode processes – HSBC topped the ranking with five out of five stars, followed by Starling, Lloyds, First Direct, Nationwide and Virgin Money on four stars. TSB, Santander, Barclays and NatWest received three stars.

Virgin Money got the lowest total scores for online (52 per cent) and app banking (54 per cent). The study found six outdated Virgin Money web applications which had potential vulnerabilities.

Virgin Money failed to adequately block insecure passwords and remove phone numbers from notifications, according to the research. It also found there were no security checks to pay someone new, change an email address or edit the details of a payee.

‘Robust, multi-layered controls’

A spokesman for Virgin Money said: “The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls.

“A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts.”

TSB scored 57 per cent for its app, the second lowest, but got a slightly higher score of 66 per cent for its online offering.

Which? said it still asks basic security questions such as “name your favourite food” to recover login details. It also failed to block insecure passwords and only required six characters. There was also a potentially vulnerable subdomain, which TSB said will be removed in 2023, and two outdated web applications.

TSB also lost points for using SMS-based security, not sending alerts when sensitive account changes were made and including phone numbers in new-payee notifications.

A spokesman for TSB said: “We continue to invest in our online and mobile services – and work with globally-leading tech firms to deliver both security and accessibility to our customers.

“TSB also tracks well across the industry on fraud prevention and we are the only bank that protects its customers with a guarantee to return their money should they ever fall victim to fraud.”

Sign up to the Front Page newsletter for free: Your essential guide to the day’s agenda from The Telegraph – direct to your inbox seven days a week.

Leave a Reply

Your email address will not be published. Required fields are marked *