UK banks are failing to do enough to protect customers from fraud, leaving them vulnerable to flaws in online security systems, according to new research from the consumer group Which?
Some banks are not using the latest protections for their websites and are allowing customers to choose insecure passwords for their accounts.
Which?, along with security experts 6point6, investigated the online and mobile app security of the 15 largest current account providers in the UK. They tested the banks on a range of criteria including encryption and protection, login, and account management and navigation.
Metro Bank (MTRO.L) received the lowest score for online security with an overall score of just 53%.
The bank was found to have potential weaknesses in subdomains of its website which could allow cybercriminals to compromise the server.
Two security headers were also missing from Metro Bank’s website. These protect customers against a range of cyberattacks by telling the user's browser how to behave when it communicates with the website.
Virgin Money (VMUK.L) was second from bottom with 56%, followed by TSB (59%), Triodos (63%), and First Direct (67%).
Banks are supposed to have extra checks in place to verify customer identity as passwords can be guessed or stolen by hackers, but the investigation discovered security flaws at several banks during the login process.
The online system for Triodos Bank (TRIGF.AS) allows customers to choose insecure security words, including easily guessable passwords such as "password", "1234567" and "admin".
The bank reduces the risk by using a two-factor authentication at login with its physical "Digipass" device but allowing such weak credentials leaves users exposed to fraud, according to Which?
HSBC (HSBA.L), NatWest (NWG.L), Santander (BNC.L), Starling, The Co-operative Bank, and Virgin Money all let customers set passwords that include the user's first name and/or surname. Santander told Which? this is being phased out and NatWest and Virgin Money said they may increase password limitations after the investigation.
TSB, Lloyds (LLOY.L), Metro, Nationwide, Santander and The Co-operative Bank also all still use SMS texts to verify users when they sign in to their accounts, leaving messages at risk of being hijacked by hackers. Santander and The Co-operative Bank told Which? that they are looking to move away from SMS verification.
Nationwide, TSB and Virgin Money were not utilising software that ensures spoof messages sent by potential scammers are blocked or flagged by email providers. TSB told Which? it has since introduced this protection. Virgin Money said they are working on bringing this in. Nationwide said it operates "a range of email security controls" to keep customers safe.
HSBC took the top spot for the bank with the best online security, with a score of 81%. It was the only bank to receive top marks for both website encryption and account management. It was rated A+ for cipher strength because it supports the latest encryption standards.
NatWest was in second place with 75%, followed by Barclays (BARC.L) (73%), Santander (72%), and Starling (72%).
The investigation also looked at each provider’s banking app for potential flaws. Monzo was the lowest-scoring app, with just 46%.
It is the only provider that does not ask users to log in every time they open the app. The challenger bank told Which? that this is a "conscious design decision to strike a balance between risk and customer experience".
Lloyds, Nationwide, Santander, and TSB lost points because their online banking and mobile apps require the same login credentials. Asking for app-specific passcodes provides a higher level of protection, Which?said.
Cases of internet banking fraud rose by 97% in the first half of 2021, according to Which? The group is calling on banks to upgrade their online security systems in order to give customers more protection.
Jenny Ross, Which? money editor, said: “Banks must lead the battle against fraud, yet our security tests have revealed worrying flaws when it comes to keeping people safe from the threat of having their account compromised.
“Our research reinforces the need for banks to up their game on tackling fraud by using the latest protections for their websites and not allowing customers to set insecure passwords. We also want banks to stop sending sensitive data to customers via SMS texts as this could leave the door open to fraudsters.”