The provider scored 54% for its mobile app security, with a slightly higher 67% for its general online protection.
It was also the only lender to score two out of five stars in Which?’s banking security investigation for both the management of online accounts and best practices for its banking app.
Due to its ‘improper use’ of handling sensitive data, the information produced from the banking app could be read by other apps running at the same time.
TSB said the issue, which presents users with a medium risk of a security breach, is being reviewed and “will be considered in the future”. This follows an IT meltdown six years ago due to glitches in its online banking, which cost TSB £330m and led to 80,000 customers walking away from the bank.
One of the other matters that caused the slack score was the use of a phone number sent into an SMS alert to its customers, something that scammers could easily pick up and replicate to use in a future con. Another contributing factor to the poor score was that its passwords are still only six characters long, which makes it much easier for fraudsters to hack.
The Co-operative Bank followed TSB at the bottom end of the table, scoring 61% for online security, thanks in part to the fact it is the only bank not to request a two-factor authentication log-in on a laptop, as well as the fact it does not prevent users from setting passwords considered weak.
Banks urged to fix ongoing issues
Following their underwhelming performance, the consumer champion has urged both banks to address the problems raised in its study.
At the other end of the scale were Starling and NatWest/RBS, which topped the charts for online security. Both scored four stars for log-in security and the highest five-star score for security best practices, account management and navigation.
HSBC was the leading provider for mobile banking app users, with features like not relying on SMS alerts for logging in, making it a high performer for security.
Protecting your data from scammers has never been more pertinent, as a case of fraud was reported to the national database every two minutes last year. Sophisticated data-harvesting techniques are an ongoing threat to customers of mobile and online banking.
Government needs to make fighting fraud a national priority
Sam Richardson, deputy editor of Which? Money, said “it’s crucial” with so many people on their phones during the day that the banks have security protections that are “up to scratch”.
Richardson said: “While our investigation found no major security issues, there were some areas of concern that we think the banks in question need to urgently address so that sophisticated scammers can’t use loopholes to target innocent victims.
“With fraudsters still relentless in their pursuit of our money and a general election looming, the next Government must make fighting fraud a national priority, with a fraud minister installed to work across multiple Government departments.”
Here are six tips to help you bank safely when you are using online or mobile app services.
Six tips to bank safely
- Protect your mobile. Having your phone stolen needn’t put your money at risk. Add a unique PIN to your SIM card, register for Google’s Find My Device or Apple’s Find My iPhone, and disable preview notifications.
- Don’t use an out-of-date device. Updates contain security patches for new vulnerabilities, so if you bank online, don’t use a device that’s no longer supported.
- Choose strong, unique passwords. Avoid repeat or simple passwords – too many banks failed to block this. Use a password manager if you struggle to remember them. Dashlane and LastPass are decent free options – make sure your master password is secure.
- Keep your phone and bank cards separate. Never leave your mobile phone and bank cards unattended together – a thief could pass security checks when armed with both.
- Check your social media profiles for details. Remove personal data (email, date of birth, phone numbers) from online profiles, as this raises your risk of identity theft. Only accept friend requests from people you know. What you put online is public, so never use anything that’s out there in a password or security question.
- Act quickly. If you spot an unauthorised payment or changes you don’t recognise, report it immediately. Many banks let you freeze your debit card via their app, or they offer a 24/7 helpline to report lost and stolen cards.
Replies from the banks
Lloyds Banking Group
A Lloyds Banking Group spokesperson said: “Helping to keep our customers’ money and data safe is our priority, and we have robust, multi-layer security across our online and mobile banking services to protect against potential cybersecurity threats. We employ world-class experts in the cybersecurity field and continually invest to deliver the right balance of online security measures, customer experience and accessibility.
“Whilst written on the Payment Systems Regulator’s regulation for Secure Customer Authentication, Lloyds Banking Group has made the regulators aware that we would not enforce this on Payments and Logon given the considerations for vulnerable customers and businesses that may need longer than that period to complete the transaction.
“Logons from new devices are verified through secondary verification to customers’ registered phones to establish the trust for any devices used. Given this, there are no customer untrusted devices.”
TSB said: “We continue to strengthen the security of our internet and mobile banking while delivering a positive and convenient user experience for customers. That’s reflected in our high app store ratings.”
The Co-operative Bank
The Co-operative Bank said: “The security of our customers’ accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money.
“We are constantly reviewing and enhancing our security controls, and we will be delivering a number of further improvements in 2024 to give our customers peace of mind that they can continue to bank safely and securely with us.”