‘Worrying security flaws’ among financial giants may expose online banking customers to fraud says consumer group
Online banking customers are being left exposed to some worrying fraud risks, according to Which?
The consumer group urged providers to "up their game" by using the latest protections for their websites and not allowing customers to set unsecure passwords.
It conducted an investigation with security experts 6point6, testing the online and mobile app security of 15 major current account providers on a range of criteria, including encryption and protection, login, and account management and navigation.
Six banks – HSBC, Natwest, Santander, Starling, the Cooperative Bank and Virgin Money – let people choose passwords that include their first name and/or surname, the research found.
Santander told Which? this is being phased out, while Natwest and Virgin Money said it might now increase password limitations.
TSB, Lloyds, Metro, Nationwide, Santander and the Cooperative Bank also used texts to verify people when logging in, leaving messages at risk of being hijacked by cybercriminals, Which? said.
Santander and the Co-operative Bank told Which? they were looking to move away from this.
Which? also claimed Nationwide, TSB and Virgin Money were not using software that ensures spoof messages sent by potential scammers are blocked or quarantined by someone's email provider.
HSBC came out most favourably for online banking security, scoring five stars for website encryption and account management. First Direct, which is a division of HSBC UK, was ranked top for mobile app security.
Metro Bank was placed bottom for online security, while Monzo was ranked bottom by Which? for mobile app security.
Which? said Monzo does not ask people to log in every time, with the bank saying this was a "conscious design decision to strike a balance between risk and customer experience".
A Monzo spokesman said: "We strongly disagree with this assessment. Given every sensitive action or payment requires a customer to provide extra authentication in the form of a Pin or biometrics, the risk associated with remaining logged into the Monzo app is extremely low.”