Search by consumer group Which? found that online banking customers were at risk of fraud due to their banks’ cybersecurity practices.
In collaboration with the security company 6point6 and a group of volunteers, Which one? analyzed 15 banks and platforms for online banking and mobile applications of building societies.
The consumer group rated financial institutions in four areas, namely encryption, login, account management, browsing, and logout. Which? discovered “worrying security flaws” and revealed a significant gap between the best and worst performers. The firm advised banks to improve online security for their customers by adopting the latest security protections.
Several banks lag behind in online banking security
According to Which?, HSBC, NatWest and Barclays came out on top in online banking, with some areas for improvement. HSBC ranked first because it was the only bank to earn five stars in website encryption and account management.
TSB, Virgin Money and Metro Bank were among the worst performers in online banking security. According to Which?, HSBC, Starling, NatWest, Santander, Co-operative and Virgin Money allow customers to use their name as a password.
“These findings are not surprising. Positive Technologies research also shows that banks have a number of weak points in customer account security,” said Maxim Kostikov, head of banking security at Positive Technologies. “And we’re seeing weak password policies, the inability for users to change their login username when needed, and the lack of two-factor authentication for critical actions.”
TSB, Lloyds, Metro, Nationwide, Santander and Co-operative Bank verify user logins via texts that could be intercepted by cybercriminals. Santander and Co-operative Bank informed Which? The money they were taking away from these practices.
Nationwide, TSB and Virgin Money lacked software capable of flagging spoofed messages sent by scammers to allow third-party email providers to block such emails. However, TSB said it had already introduced this protection, while Virgin Money said it was in the process of doing so. Likewise, Nationwide said it has “a range of email security controls” in place to protect its customers from tampered messages.
Monzo does not require users to log in every time and says the design was deliberate to strike a balance between security and user experience, and that the risk associated with staying logged in was minimal.
Security vulnerabilities expose customers to potential fraud
“Banks must lead the battle against fraud, but our security tests have revealed worrying flaws when it comes to protecting people against the threat of having their account compromised,” said Harry Ross, editor-in-chief of Which?.
Which? noted that the online banking situation could allow scammers to obtain enough information to carry out convincing scams. These include fraudsters posing as bank employees and convincing customers to transfer money to their accounts.
However, the consumer group noted that the banks had behind-the-scenes security processes that they could not legally assess.
Rose added that while “online banking is largely safe,” banks could do more to prioritize the safety of their users.
“The serious failings we have exposed with some providers reinforce the need for banks to improve their protection against scams, and to mandate greater transparency and higher standards for all banks and payment providers. reimbursement of fraud.”
Oliver Pinson-Roxburgh, CEO of Defense.com, said customers are more digital savvy and want reassurance that their banking partners put their security first.
“It is frustrating, but not surprising, that so many banks fail to provide the highest standards of security to their customers,” Pinson-Roxburgh noted. “Every enterprise access point, internal or external, must be constantly reviewed and pass rigorous security checks.”
Kostikov says users should stay safe online by monitoring their digital security. He advises them to have different SIM cards and different mailboxes for different needs, for example, shopping, traveling, etc.
“If you use a separate phone number for the bank, a leak from another site will not affect your bank account. And get a virtual credit card for online payments or for PayPass and set a maximum limit for purchase costs. This way, attackers will not see your main payment card if data is leaked in the stores where you have made your purchases. “