Which? urges banks to address online security ‘loopholes’

Some banks need to urgently address potential loopholes in their online security arrangements which could leave people vulnerable to scammers, according to Which?.

The consumer group assessed the apps and websites of 13 current account providers in January and February 2024, with help from computer security experts.

Researchers for the consumer group tested banking website and app security for login procedures, security “best practice”, account management and navigation and logout. They were not able to test banks’ back-end security systems.

While all firms in the study use multi-layered security that helps reduce the likelihood of major security breaches, Which? said it believes that some providers that finished towards the bottom of its rankings fell short of the standards customers should expect.

TSB was scored 54% by Which? for its mobile app security and 67% for its online security – the lowest and second-lowest scores respectively.

Which? said the bank’s handling of sensitive data meant that it could be read by other apps running on the phone. The consumer group raised concerns that the app stores users’ credentials in a way which may make it more likely that other apps could access them.

TSB told Which? that the matter was under review and a fix will be “considered in the future”.

The bank also sent a phone number in an text alert that Which? said could be replicated by scammers.

TSB told Which?: “We have removed phone numbers from the vast majority of SMS alerts with this alert being the final in plan for updating to remove the phone number.”

The consumer group also raised concerns about TSB’s password requirements, saying users may choose insecure passwords which could be easier for scammers to crack.

TSB said: “We continue to strengthen the security of our internet and mobile banking while delivering a positive and convenient user experience for customers. That’s reflected in our high app store ratings.”

Which? ranked the Co-operative Bank bottom in its study for online security, with a score of 61%.

Regarding security on its mobile app, the Co-operative Bank came second to last, with a score of 57%.

Which? said the bank failed to require a two factor authentication login on a test laptop and did not block customers from setting weak passwords.

Researchers could log in from two different IP addresses at the same time without the older session being terminated and, like TSB, there were still phone numbers in alerts and security codes sent via text.

The Co-operative Bank said: “The security of our customers’ accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money.

“We are constantly reviewing and enhancing our security controls and we will be delivering a number of further improvements in 2024 to give our customers peace of mind that they can continue to bank safely and securely with us.”

Which? said it is calling for TSB and the Co-operative Bank to urgently address the issues that its researchers found.

Meanwhile, Lloyds did not log out website users after five minutes of inactivity. The bank told Which? that this makes transactions easier for vulnerable customers.

A Lloyds Banking Group spokesperson said: “Helping to keep our customers’ money and data safe is our priority and we have robust, multi-layer security across our online and mobile banking services to protect against potential cyber security threats.

“We employ world-class experts in the cyber-security field and continually invest to deliver the right balance of online security measures, customer experience and accessibility.

“Whilst written in the Payment Systems Regulator’s regulation for secure customer authentication, Lloyds Banking Group has made the regulators aware that we would not enforce this on payments and logon given the considerations for vulnerable customers and businesses that may need longer than that period to complete the transaction.

“Logons from new devices are verified through secondary verification to customers’ registered phone to establish the trust for any devices used. Given this, there are no customer untrusted devices.”

Starling Bank and NatWest/RBS were ranked top by Which? for online security, with both scoring 87%.

The top-ranked bank for mobile app security was HSBC, with a score of 78%.

HSBC posted solid scores for both its app and website, and researchers found no issues with logout or navigation, Which? said.

Barclays was ranked second in the mobile app rankings, with a score of 74%, but Which? found it had not fixed website management issues it identified last year, such as letting users access accounts from multiple browsers, IP addresses or devices at the same time.

The bank told Which? it uses other controls to assess the risk profile of devices accessing online banking and is planning to add this additional layer of protection later this year.

Sam Richardson, deputy editor of Which? Money, said: “With many people increasingly banking online or on their phones, it’s crucial that the banks we trust with our money have security protections that are up to scratch.

“While our investigation found no major security issues, there were some areas of concern that we think the banks in question need to urgently address, so that sophisticated scammers can’t use loopholes to target innocent victims.

“With fraudsters still relentless in their pursuit of our money and a general election looming, the next government must make fighting fraud a national priority, with a fraud minister installed to work across multiple government departments.”

A spokesperson for industry body UK Finance said: “Fraud has a devastating impact on victims, so the banking and finance industry’s primary focus is always on stopping fraud from happening in the first place. To do so, the industry invests heavily in cyber security and data sharing, seeking to detect and prevent malicious actors from infiltrating systems, stealing data, and committing fraud.

“As the fraud landscape evolves, banks update and reinforce security measures on their platforms to mitigate potential threats, whilst maintaining a positive user experience for customers.

“We encourage customers to be alert to potential threats of fraud and always use secure passwords, avoid sharing one-time passcodes and personal and financial information. If you think you’ve fallen for a scam it’s important to contact your bank immediately, and report it to Action Fraud.”