Weaknesses in some banks’ security could leave customers exposed to scammers, a new Which? investigation has found, as the consumer champion rates the best and worst firms for keeping customers safe.
With more people than ever before using mobile banking, criminals are increasingly viewing mobile phones as gateways to consumers’ personal finances.
Which? researchers tested banking website and app security across four key criteria: login procedures, security best practice, account management and navigation and logout, which were amalgamated to give a total score. They were not able to test banks’ back-end security systems.
While all firms do use multilayered security that helps reduce the likelihood of major security breaches, Which? believes that some firms that finished towards the bottom of the rankings fell short of the high standards customers should expect.
TSB scored 54 per cent for its mobile app security and 67 per cent for its online security - the lowest and second-lowest scores, respectively. The firm was the only one to score just two stars for online account management, and just two stars for security best practice for its app.
The most serious problem the security best practice tests discovered was a ‘medium-risk’ issue on the TSB app. Its improper handling of sensitive data meant that it could be read by other apps running on the phone. The app stores users’ credentials in an insecure manner which makes it more likely that other apps could access them.
TSB told Which? that the matter was under review and a fix will be ‘considered in the future’. However, given the level of risk here, Which? would expect a stronger response.
Researchers also uncovered encryption issues with outdated versions of third-party libraries - the library of computer code used by apps and websites - and a weakness related to support for devices running Android 8.0 and below, while TSB also specifically asks users to ‘trust’ a device but then offers no way to ‘distrust’ it afterwards.
The bank also sent a phone number in an SMS alert, which could be replicated by scammers. TSB told Which?: "We have removed phone numbers from the vast majority of SMS alerts with this alert being the final in plan for updating to remove the phone number."
Finally, TSB’s password requirements are still only six characters and users can still choose a range of insecure passwords, which are easier for scammers to crack.
Which? also uncovered problems with The Co-operative Bank’s security measures. The bank came bottom of the online security table, with a score of just 61 per cent. It got a very average three stars for both account management and navigation.
When it came to security on its mobile app, The Co-operative Bank came second-last, with a disappointing score of 57 per cent. The firm was one of three rated average (three stars) for login security, and it was the only bank to fail to require a two factor authentication login on a test laptop. The bank also fails to block customers from setting weak passwords.
Researchers could still log in from two different IP addresses at the same time without the older session being terminated, and, like TSB, there were still phone numbers in alerts and security codes sent via SMS. The bank said that messages for high-risk changes to your account, such as a resetting of login details, were being reviewed, along with its ‘authentication strategy to move to app authentication and reduce the reliance on SMS’.
Lloyds was the only bank that failed to log out website users after five minutes of inactivity, despite this being a regulatory requirement. The bank told Which? that this makes things easier for vulnerable customers.
At the top of the pile for online security were Starling and NatWest/RBS, with both posting an impressive total score of 87 per cent. While both firms scored four stars for login security online, they both posted a full five stars for security best practice, account management and navigation.
The best performing bank for mobile app security was HSBC, with a total score of 78 per cent. HSBC posted solid scores for both its app and website, and unlike many of its high street rivals, it does not rely on SMS for login, and researchers found no issues with logout or navigation.
While Barclays finished second in the mobile app rankings, with a highly respectable total score of 74 per cent, it is still yet to fix the website management issues Which? identified last year, such as letting users access accounts from multiple browsers, IP addresses or devices at the same time which could be flagged as a potential attack by cybercriminals, despite claiming these would be addressed in early 2023.
The firm told Which? it uses other controls to assess the risk profile of devices accessing online banking, and is planning to add this additional layer of protection later this year.
Which? is calling for TSB and The Co-operative Bank to urgently address the issues its researchers have uncovered, so that sophisticated fraudsters are not able to take advantage of potential holes in security systems to target innocent victims.
Banking trade body UK Finance’s most recent half year fraud report revealed that losses from mobile banking fraud ‘increased by 17 per cent to £18.7 million in the first six months of 2023’ - the biggest recorded increase since it began collecting data on this fraud type in 2015. The number of cases shot up by 32 per cent to 8,078, also the highest total recorded.
With a General Election looming, the consumer champion is calling on the next government to appoint a dedicated Fraud Minister and make fighting fraud a national priority. This minister must use their authority to work across multiple government departments, and with industry, to lead a clear strategy to stop organised crime online and focus on fraud as a fundamental part of the UK’s wider crime strategy.
Sam Richardson, Deputy Editor of Which? Money, said:
“With many people increasingly banking online or on their phones, it’s crucial that the banks we trust with our money have security protections that are up to scratch.
“While our investigation found no major security issues, there were some areas of concern that we think the banks in question need to urgently address, so that sophisticated scammers can’t use loopholes to target innocent victims.
“With fraudsters still relentless in their pursuit of our money and a General Election looming, the next government must make fighting fraud a national priority, with a Fraud Minister installed to work across multiple government departments.”
