Which? urges banks to address online security ‘loopholes’
SOME banks need to urgently address potential loopholes in their online security arrangements which could leave people vulnerable to scammers, according to Which?.
The consumer group assessed the apps and websites of 13 current account providers in January and February 2024, with help from computer security experts.
Researchers for the consumer group tested banking website and app security for login procedures, security “best practice”, account management, and navigation and logout. They were not able to test banks’ back-end security systems.
While all firms in the study use multilayered security that helps reduce the likelihood of major security breaches, Which? said it believes some providers that finished towards the bottom of its rankings fell short of the standards customers should expect.
TSB was scored 54% by Which? for its mobile app security and 67% for its online security – the lowest and secondlowest scores respectively.
Which? said the bank’s handling of sensitive data meant that it could be read by other apps running on the phone. The consumer group raised concerns that the app stores users’ credentials in a way which may make it more likely that other apps could access them.
TSB told Which? that the matter was under review and a fix will be “considered in the future”.
The consumer group also raised concerns about TSB’S password requirements, saying users may choose insecure passwords which could be easier for scammers to crack.
TSB said: “We continue to strengthen the security of our internet and mobile banking while delivering a positive and convenient user experience for customers. That’s reflected in our high app store ratings.”
Which? ranked the Co-operative Bank bottom in its study for online security, with a score of 61%.
Regarding security on its mobile app, the Co-operative Bank came second to last, with a score of 57%.
Which? said the bank failed to require a two-factor authentication login on a test laptop and did not block customers from setting weak passwords.
Researchers could log in from two different IP addresses at the same time without the older session being terminated and, like TSB, there were still phone numbers in alerts and security codes sent via text.
The Co-operative Bank said: “The security of our customers’ accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money.
“We are constantly reviewing and enhancing our security controls and we will be delivering a number of further improvements in 2024 to give our customers peace of mind.”
Which? said it is calling for TSB and the Co-operative Bank to urgently address the issues that its researchers found.
Meanwhile, Lloyds did not log out website users after five minutes of inactivity. The bank told Which? that this makes transactions easier for vulnerable customers.
A Lloyds Banking Group spokesperson said: “Helping to keep our customers’ money and data safe is our priority, and we have robust, multi-layer security across our online and mobile banking services to protect against potential cyber security threats.
“We employ world-class experts in the cyber-security field and continually invest to deliver the right balance of online security measures, customer experience and accessibility.
“Logons from new devices are verified through secondary verification to customers’ registered phone to establish the trust for any devices used. Given this, there are no customer untrusted devices.”
Starling Bank and Natwest/rbs were ranked top by Which? for online security, with both scoring 87%.
The top-ranked bank for mobile app security was HSBC, with a score of 78%.
Barclays was ranked second in the mobile app rankings, with a score of 74%, but Which? found it had not fixed website management issues it identified last year, such as letting users access accounts from multiple browsers, IP addresses or devices at the same time.
The bank told Which? it uses other controls to assess the risk profile of devices accessing online banking and is planning to add this additional layer of protection later this year.
We employ world-class experts in the cyber-security field