Some banks urgently need to address potential loopholes in their online security arrangements that could leave people vulnerable to scammers, Which? said.
The consumer group assessed the apps and websites of 13 payment account providers in January and February 2024, with the help of computer security experts. Researchers from the consumer group tested the security of banking websites and apps in the areas of login procedures, security best practices, account management and navigation and logout.
They were unable to test banks’ back-end security systems. While all companies in the survey use multi-layered security that helps reduce the chance of major security breaches, Which? said it believes some providers who finished at the bottom of the rankings did not meet the standards customers should expect.
READ MORE: Former Birkenhead MP Frank Field dies aged 81 as a family matter
READ MORE: Amazon’s £8 ‘slimming’ cellulite cream, a ‘tummy tuck in a bottle’
TSB received a score of 54% by Welke? for mobile app security and 67% for online security, the lowest and second lowest scores respectively. Which? said the way the bank handled sensitive data meant it could be read by other apps on the phone. The consumer group raised concerns that the app stores users’ login credentials in a way that makes it more likely that other apps can access it.
TSB told Which? that the matter is under investigation and a resolution “will be considered in the future.” The bank also sent a phone number in a text message alert saying Which? said could be replicated by scammers.
TSB told Which?: “We have removed phone numbers from the vast majority of text alerts, with this alert being the latest in the plan for an update to remove the phone number.”
The consumer group also raised concerns about TSB’s password requirements, saying users may choose insecure passwords that are easier for scammers to crack.
TSB said: “We continue to strengthen the security of our online and mobile banking services while providing a positive and convenient user experience for customers. This is reflected in our high app store ratings.”
Which? placed the Co-operative Bank at the bottom of its online security survey, with a score of 61%. In terms of the security of its mobile app, the Co-operative Bank came in second, with a score of 57%.
It says the bank has failed to require two-factor authentication on a test laptop and will not stop customers from setting weak passwords. Researchers could log in from two different IP addresses simultaneously without terminating the older session, and as with TSB, phone numbers were still included in alerts and security codes sent via SMS.
The Co-operative Bank said: “The security of our customers’ accounts is always our top priority. Customers can rest assured that we have robust security measures in place to protect them and their money.
“We are continually reviewing and improving our security controls and we will be making a number of further improvements in 2024 to give our customers the peace of mind that they can continue to bank safely with us.”
Which? said it is calling on TSB and the Co-operative Bank to urgently address the issues its investigators have discovered. Meanwhile, Lloyds did not log out website users after five minutes of inactivity. The bank told Which? that this makes transactions easier for vulnerable customers.
A spokesperson for Lloyds Banking Group said: “Helping our customers’ money and data stay safe is our priority and we have robust, multi-layered security across our online and mobile banking services to protect us from potential cyber security threats.
“We employ world-class cyber security experts and continually invest to provide the right balance between online security measures, customer experience and accessibility.
“Although Lloyds Banking Group has established the Payment Systems Regulator’s secure customer authentication regulations, it has made regulators aware that we would not enforce this on payments and login, given the considerations for vulnerable customers and businesses who may be out of business for longer than that period. need to complete the transaction.
“Logins from new devices are verified through secondary authentication on customers’ registered phones to establish trust for all devices in use. Therefore, there are no untrusted customer devices.”
Starling Bank and NatWest/RBS topped the list according to Which? for online security, with both achieving a score of 87%. The highest ranked bank for mobile app security was HSBC, with a score of 78%.
HSBC scored solid scores for both the app and website, and researchers found no issues with logging out or navigation. Which? said. Barclays came in second in the mobile app rankings, with a score of 74%, but which one? found that it had not fixed website management issues it identified last year, such as allowing users to access accounts from multiple browsers, IP addresses or devices at the same time.
The bank told Which? it uses other controls to assess the risk profile of devices accessing online banking and plans to add this extra layer of protection later this year.
Sam Richardson, deputy editor of Which? Money said: “As many people increasingly bank online or on their phones, it is crucial that the banks we trust with our money have good security in place.
“While our investigation did not reveal any major security issues, there were some areas of concern that we believe need to be urgently addressed by the banks in question so that sophisticated scammers cannot use loopholes to target innocent victims.
“With fraudsters still ruthlessly pursuing our money and a general election looming, the next government must make the fight against fraud a national priority, with a Fraud Minister appointed across multiple ministries.”
A spokesperson for industry body UK Finance said: “Fraud has a devastating impact on its victims, so the banking and finance industry’s primary focus has always been on preventing fraud first and foremost. To achieve this, the industry is investing heavily in cybersecurity and data sharing, seeking to detect and prevent malicious actors from infiltrating systems, stealing data and committing fraud.
“As the fraud landscape evolves, banks are updating and strengthening security measures on their platforms to mitigate potential threats while maintaining a positive user experience for customers.
“We encourage customers to be alert to potential fraud threats and always use secure passwords and avoid sharing one-time passcodes and personal and financial information. If you think you have fallen for a scam, it is important to get in touch immediately with your bank and report this to prevent fraud.”
Don’t miss the biggest, most recent stories by signing up to the Echo Daily newsletter here