Banks putting customers at risk by sending security codes via text
BANKS are putting customers at risk of fraud by sending security codes via text, a study has found.
In an investigation into 13 current account providers, Which? found that many sent a one-time passcode by SMS, even though the consumer group said this was the least secure way to authenticate customers because criminals were increasingly intercepting texts. It awarded top marks to banks that asked customers to use a card-reader or their mobile banking app to log in.
The vulnerability is one of a series of security flaws on some of the biggest banks’ websites and apps that the consumer group said were potentially exposing their customers to fraud.
Insecure passwords, lax checks on new payees and vulnerable log-in processes were among the weaknesses found by Which?. It follows reports of 29,102 frauds in remote banking, worth nearly £85million to UK finance in the first half of last year.
For the research, Which? tested customer-facing security systems of 13 current account providers from September to November 2022, with help from independent security experts at Red
Maple Technologies.
The banks were scored across four categories – login, navigation and logout, account management and encryption – for both their online banking security and app security.
Among other issues, banks were marked down for not adequately blocking weak passwords, sending one-time passcodes or other sensitive information via text messages, which is the least secure approach, and failing to log customers out after five minutes of inactivity.
For logins, which include checks on passwords and passcode processes, HSBC scored five out of five stars; Starling, Lloyds, First Direct, Nationwide and Virgin Money scored four; while TSB, Santander, Barclays and Natwest scored three.
Virgin Money got the lowest total scores for online (52per cent) and app (54 per cent) banking. A spokesman for Virgin Money said: “The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls.
“A number of the points raised relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts.”