Many UK retail banks are leaving their customers exposed to fraud by neglecting to implement website protections and allowing users to set laughably insecure passwords to use their online services, according to consumer rights organisation Which?.
Which?’s investigation, conducted with assistance from security firm 6point6, tested the online and mobile app security of the UK’s 15 largest current account providers, measuring criteria such as encryption and protection, login, and account management and navigation.
The banks were rated on a score ranging from 1-100%, and although none of the organisations surveyed fell into the bottom half of that scale, the worst rated banks – Metro Bank, Virgin Money and TSB – scored 53%, 56% and 59%, respectively.
“Banks must lead the battle against fraud, yet our security tests have revealed worrying flaws when it comes to keeping people safe from the threat of having their account compromised,” said Jenny Ross, money editor at Which?.
“Our research reinforces the need for banks to up their game on tackling fraud by using the latest protections for their websites and not allowing customers to set insecure passwords. We also want banks to stop sending sensitive data to customers via SMS texts as this could leave the door open to fraudsters.”
Among some of the issues uncovered, Which? said Metro Bank had scored lowest for a number of reasons, including the retained use of SMS texts to verify customers when they log in, which can easily put messages at risk of being hijacked by malicious actors, and weaknesses in subdomains of its website that could allow its servers to be compromised. It also said two security headers were missing altogether from Metro Bank’s website – meaning a customer’s browser may not function properly when using it.
Virgin Money, meanwhile, was hauled up for allowing customers to set passwords that incorporate their first and last names, and for failing to use DMARC protections that block or quarantine spoof communications from scammers. TSB also lost points for this reason, and because its online and mobile banking services used the same credentials and for its ongoing use of SMS verification at login.
But these were not the only banks found to be taking a slapdash attitude to customer cyber security. Which? also highlighted Triodos Bank for allowing customers to use unsafe credentials, and Monzo, which was cited for a particularly insecure mobile app that, among other things, does not ask users to log in every time they access it.
Other problems were found at HSBC, NatWest, Santander, Starling Bank and the Co-Operative Bank, which all still permitted easily guessed passwords that potentially contain personal data. Meanwhile, Lloyds, Nationwide, Santander and the Co-Operative Bank were also found to still be using SMS verification, First Direct and Lloyds both had insecure websites, and Nationwide lagged on DMARC.
Which? said the findings were particularly alarming given that cases of internet banking fraud almost doubled during the first six months of 2021. However, at the other end of the scale, its testers praised HSBC for having paid close attention to cyber security and in particular encryption, scoring well across all tested categories to score a total of 81%. NatWest (including Royal Bank of Scotland) and Barclays were the other two high scorers.
Which? said that although online banking is generally safe, cyber criminals are constantly upping their game and the banking sector needs to do more to keep pace with them. It is calling for all those surveyed to do more to improve the security of their online services.
Brett Beranek, vice-president and general manager of Nuance’s security and biometrics business, commented: “This latest warning from Which? about password security should come as no surprise. PINs and passwords are an archaic tool, no longer fit for purpose. Passwords are being sold on the dark web, exploited for fraudulent activity and have even cost unfortunate individuals vast sums of money in terms of forgotten passwords to safeguard cryptocurrencies.
“With fraud on the rise, it has never been more important for banking leaders to ensure that their customers are provided with a more sophisticated and secure experience. Biometrics authenticates individuals immediately based on their unique characteristics – taking away the need to remember PINs, passwords and other knowledge-based credentials prone to being exploited by fraudsters and providing peace of mind, as well as security, for end-users.”