Banks told to address online security 'loopholes' that could leave customers at risk
The consumer group assessed the apps and websites of 13 current account providers in January and February 2024, with help from computer security experts.
Which? has sounded the alarm over online security 'loopholes' at some banks, warning that urgent action is needed to close gaps that leave customers exposed to fraudsters. The consumer watchdog conducted an investigation into the apps and websites of 13 current account providers earlier this year, enlisting cybersecurity specialists for the task.
The January and February 2024 study by Which? involved rigorous testing of banking website and app security, focusing on login procedures, adherence to security "best practice", account management, navigation, and logout processes. However, the researchers were unable to probe the banks' internal security infrastructure.
Despite all the firms employing multi-layered security measures which generally mitigate the risk of significant breaches, Which? expressed concern that some banks, particularly those with lower rankings in their assessment, are not meeting the high standards customers deserve.
TSB's mobile app security was rated at a mere 54 percent by Which?, while its online security fared slightly better at 67%, placing it as the lowest and second-lowest in these categories respectively.
Which? highlighted worrying practices at TSB, such as the way sensitive data is handled, potentially allowing other phone apps to read it. The group also flagged issues with how the app stores user credentials, possibly increasing the risk of access by malicious apps.
TSB has acknowledged the concerns raised by Which? and stated that the issue is being reviewed, with a potential fix to be "considered in the future".
Additionally, Which? pointed out a vulnerability involving text alerts from the bank, which could be easily mimicked by scammers, further endangering customer security.
TSB made the following statement to Which?: "We have removed phone numbers from the vast majority of SMS alerts with this alert being the final in plan for updating to remove the phone number."
The consumer group expressed concerns over TSB's password protocols, suggesting that users may opt for less secure passwords that scammers could easily decipher.
In response, TSB commented: "We continue to strengthen the security of our internet and mobile banking while delivering a positive and convenient user experience for customers. That's reflected in our high app store ratings."
The Co-operative Bank was ranked last in Which?'s study examining online security, garnering a score of 61 percent. When it came to mobile app security, the Co-operative Bank scored just 57 percent, placing it second to last.
Which? critiqued the bank for not implementing a two-factor authentication login on a testing laptop, and not preventing the use of simple passwords.
Researchers noted that they could log into the same account from multiple IP addresses without the previous session ending. Additionally, like TSB, there were still phone numbers included in alerts and text-based security codes.
Responding to the criticisms, The Co-operative Bank declared: "The security of our customers' accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money."
"We are constantly reviewing and enhancing our security controls and we will be delivering a number of further improvements in 2024 to give our customers peace of mind that they can continue to bank safely and securely with us."
Which? has expressed concerns over the issues found at TSB and the Co-operative Bank, calling for an urgent review and rectification.
In another instance, Lloyds failed to automatically logout website users after five minutes of inactivity. However, the bank argued to Which? that this approach makes transactions simpler for those customers who are vulnerable.
A spokesperson from the Lloyds Banking Group asserted: "Helping to keep our customers' money and data safe is our priority and we have robust, multi-layer security across our online and mobile banking services to protect against potential cyber security threats."
"We employ world-class experts in the cyber-security field and continually invest to deliver the right balance of online security measures, customer experience and accessibility."
"Whilst written in the Payment Systems Regulator's regulation for secure customer authentication, Lloyds Banking Group has made the regulators aware that we would not enforce this on payments and logon given the considerations for vulnerable customers and businesses that may need longer than that period to complete the transaction."
"Logons from new devices are verified through secondary verification to customers' registered phone to establish the trust for any devices used. Given this, there are no customer untrusted devices."
Starling Bank and NatWest/RBS have been crowned the leaders in online security by consumer champion Which?, both achieving an impressive score of 87 percent.
HSBC has emerged as the frontrunner for mobile app security, securing a commendable score of 78 percent, according to Which?.
The banking giant HSBC garnered robust scores across its app and website platforms, with researchers from Which? giving it a clean bill of health regarding logout procedures and navigation ease.
Barclays clinched the runner-up spot for mobile app security with a solid 74 percent score. However, Which? highlighted that Barclays had yet to rectify website management issues identified previously, such as permitting simultaneous account access from various browsers, IP addresses, or devices.
Which? received assurances from the bank that it employs alternative measures to evaluate the risk profile of devices used for online banking, with plans to introduce an extra layer of protection later this year.
Deputy Editor of Which? Money, Sam Richardson, commented: "With many people increasingly banking online or on their phones, it's crucial that the banks we trust with our money have security protections that are up to scratch."
Richardson further noted: "While our investigation found no major security issues, there were some areas of concern that we think the banks in question need to urgently address, so that sophisticated scammers can't use loopholes to target innocent victims."
He also stressed the importance of prioritising fraud prevention, especially with the general election on the horizon, calling for the next government to appoint a dedicated fraud minister to spearhead efforts across various departments.
A representative for industry body UK Finance stated: "Fraud has a devastating impact on victims, so the banking and finance industry's primary focus is always on stopping fraud from happening in the first place. To do so, the industry invests heavily in cyber security and data sharing, seeking to detect and prevent malicious actors from infiltrating systems, stealing data, and committing fraud."
"As the fraud landscape evolves, banks update and reinforce security measures on their platforms to mitigate potential threats, whilst maintaining a positive user experience for customers."
"We encourage customers to be alert to potential threats of fraud and always use secure passwords, avoid sharing one-time passcodes and personal and financial information. If you think you've fallen for a scam it's important to contact your bank immediately, and report it to Action Fraud."
