You are here: Home - Saving & Banking - News -

Online banking security flaws exposed

Written by: Emma Lunn
Flaws in online banking security systems could leave customers exposed to fraud, according to Which?

A study by the consumer champion found that some banks are failing to use the latest protections for their websites and allow users to set insecure passwords.

Which? conducted an investigation with independent security experts 6point6, testing the online and mobile app security of the 15 largest current account providers. It looked at a range of criteria including encryption and protection, login, and account management and navigation.

Metro Bank, Virgin Money, and TSB received the lowest scores for online security in Which?’s testing, scoring 53%, 56% and 59% respectively.

A Monzo spokesperson said: “We strongly disagree with this assessment. Given every sensitive action or payment requires a customer to provide extra authentication in the form of a PIN or biometrics, the risk associated with remaining logged into the Monzo app is extremely low. We take security incredibly seriously and focus on policies and practices that we consider to be safest for Monzo customers.”

Banks must now carry out extra checks to verify customer identity as passwords can be easily guessed or stolen, but Which? found security flaws at several banks during the login process.

Triodos Bank allows customers to set insecure security words, such as ‘password’, ‘1234567’ and ‘admin’. The risk is mitigated by a two-factor authentication at login but Which? says there is no excuse for a bank to allow such weak credentials.

HSBC, NatWest, Santander, Starling, The Co-operative Bank, and Virgin Money all let customers choose passwords that included their first name and/or surname. 

Santander told Which? this is being phased out, while NatWest and Virgin Money said they might increase password limitations after the investigation.

Which? identified potential weaknesses in subdomains of Metro Bank’s website which could allow hackers to compromise the server. 

A Metro Bank spokesperson said: “We take our customers’ security extremely seriously and have a range of safeguards in place across all channels to help defend them against fraud. As well as the controls which are visible, we have controls in the background which support our customer journeys and provide invisible protection. We are continually evaluating and evolving our controls to prevent fraud.”

Testers found similar issues with First Direct and Lloyds. First Direct addressed the vulnerability as soon as Which? reported it and Lloyds said its subdomain was in the process of being decommissioned and ‘poses no security risk’.

Which? Also found that Nationwide, TSB and Virgin Money failed to use software that ensures spoof messages sent by potential scammers are blocked or quarantined by your email provider. 

TSB told Which? it has since introduced this protection. Virgin Money said this is in the works. Nationwide said it operates ‘a range of email security controls’ to protect members.

HSBC came out on top for online banking security, with a score of 81%. It was the only bank to score five stars for both website encryption and account management. It was rated A+ for cipher strength because it supports the latest encryption standards.

Which? also asked 6point6 to test each provider’s banking app to identify potential flaws. Monzo was the lowest-scoring app it tested and was the only provider that does not ask users to log in every time. It said this is a ‘conscious design decision to strike a balance between risk and customer experience’.

Which? is calling for banks to work much harder to upgrade online security so they are providing high levels of protection for customers.

If a fraudster breaches your bank’s defences and you lose money as a result, you have a legal right to a refund from your bank – unless it can demonstrate that you were ‘grossly negligent’.

Jenny Ross, Which? money editor, said: “Banks must lead the battle against fraud, yet our security tests have revealed worrying flaws when it comes to keeping people safe from the threat of having their account compromised.

“Our research reinforces the need for banks to up their game on tackling fraud by using the latest protections for their websites and not allowing customers to set insecure passwords. We also want banks to stop sending sensitive data to customers via SMS texts as this could leave the door open to fraudsters.”

There are 0 Comment(s)

If you wish to comment without signing in, click your cursor in the top box and tick the 'Sign in as a guest' box at the bottom.

Flight cancelled or delayed? Your rights explained

With no sign of the problems in UK aviation easing over the peak summer period, many will worry whether holida...

Rail strikes: Your travel and refund rights

Thousands of railway workers will strike across three days this week, grinding much of the transport system to...

How your monthly bills could rise as the base rate reaches 1.25%

The Bank of England has raised the base rate to 1.25% as predicted – the fifth consecutive rise in just six ...

What will happen if rates change

How your finances will be impacted by a rise in interest rates.

Regular Savings Calculator

Small regular contributions can build up nicely over time.

Online Savings Calculator

Work out how your online savings can build over time.

DIY investors: 10 common mistakes to avoid

For those without the help and experience of an adviser, here are 10 common DIY investor mistakes to avoid.

Mortgage down-valuations: Tips to avoid pulling out of a house sale

Down-valuations are on the rise. So, what does it mean for home buyers, and what can you do?

Five tips for surviving a bear market mauling

The S&P 500 has slipped into bear market territory and for UK investors, the FTSE 250 is also on the edge. Her...

Money Tips of the Week