Which? conducted an investigation with independent security experts 6point6, scrutinising the online banking safety measures in place across the largest current account providers.
The consumer watchdog’s investigation found that some of the biggest banks, such as Santander, Tesco Bank and TSB, have concerning vulnerabilities in security that could leave their customers exposed to fraud.
While online banking is a largely safe way to manage money and this is being enhanced by measures such as behavioural biometrics, Which? is concerned that the issues exposed by its investigation highlight that banks could do more to prioritise security above all else.
In some of these instances, there is the potential for scammers to access information which could be used as the building blocks of a sophisticated scam – arming a fraudster with enough sensitive information to pull off convincing cons, such as posing as a bank employee to persuade a customer to transfer money from their bank account to a fraudulent one.
Many victims of these scams – which potentially have lax bank security measures at their heart – then face a double blow as some banks disregard the obligations to reimburse victims that they signed up to last year.
Tesco Bank received the poorest rating for online security in Which?’s testing, with an overall score of just 46 per cent.
Researchers found multiple security headers missing from its webpages. These are important as they protect against a range of cyberattacks, by telling your browser how to behave when it communicates with the website. It also failed to block testers from logging in to the website from two computer networks at the same time.
In addition, it failed to log out testers when switching to a different website or using the forward/back button to leave the session and return to it.
TSB finished second from bottom with a score of 51 per cent. Among the issues identified in Which? testing, the most serious was the firm’s login process, which did not meet new regulations on ‘strong customer authentication’ (SCA), introduced in March.
To gain access, researchers were only asked for fixed account details such as a name and password, which gives limited protection against attacks. Under the regulation, banks must add an extra layer of identification checks to confirm it is the customer logging into the online account.
TSB told Which? in November 2020 that it is compliant with the regulation for all new customers and that SCA is being rolled out for existing online and mobile customers, but could not say when this will be completed.
The forced upgrade has since been completed for mobile app users but is still being rolled out for online banking users.
TSB customers do at least enjoy some peace of mind due to the bank’s fraud refund guarantee, which ensures the vast majority of scam victims get their money back.
Santander rounded off the bottom three, with a score of 62 per cent. Testing found that authentication checks when logging in can be bypassed if a user designates a device as ‘trusted’. While the firm said it does ask for reauthorisation if it detects unusual activity, there’s no option to view or ‘distrust’ these devices.
At the other end of the table several banks did demonstrate strong security measures.
Starling came out on top, with a score of 85 per cent. Experts found nothing concerning with its recently launched online banking website. This is partly due to limited functionality, as users can only change sensitive data via the app.
Unlike most banks, there were no issues with missing security headers and it scored top marks for encryption. Barclays, HSBC and First Direct tied for second spot, with a score of 78 per cent, but had areas for improvement.
Although each had strong login measures, testers only needed basic details to recover a Barclays membership number, and could log in using two different computer networks without being ejected from one.
In First Direct’s case, the pre-set security questions for forgotten passwords were too basic, while there was no alert for password changes or new payees and special characters can not be used in passwords.
Which? also asked 6point6 to test each provider’s banking app to identify potential flaws. It checked to see if firms detected testers downloading its app in an emulated device or running it on a rooted device.
Emulated devices are used by developers for testing – and by fraudsters to discover weaknesses. A rooted device is one where the device is ‘jailbroken’ to bypass the operating system’s restrictions, making it easier for hackers to steal information from banking apps.
Monzo, Nationwide and TSB failed to perform both emulator and root detection, although Monzo disagrees that this exposes its app to security weaknesses and told Which? that root and emulator detection can be unreliable.
Many of the banks included in Which?’s investigation are signed up to the industry code on bank transfer scams, which pledges to reimburse scam victims who are not at fault.
However, the number of victims who get their money returned by banks is worryingly low, standing at around the 40 per cent mark. Because firms apply the code inconsistently and are not required to publish their reimbursement rates, scam victims face a lottery when it comes to getting their money back.
Which? is calling for the voluntary bank transfer scams code to be overhauled so that stronger consumer protections and reimbursement for scam victims become mandatory for all banks and payment providers. The regulator should also be required to regularly publish reimbursement rates of individual banks so consumers can check on their account provider’s performance.
Says Harry Rose, Editor of Which? Magazine:
“Banks must lead the battle against fraud, yet our security tests have revealed a big gap between the best and worst providers when it comes to keeping people safe from the threat of having their account compromised.
“The serious failings we have exposed with some providers reinforce the need for banks to up their game on scam protections, and for greater transparency and stronger standards on fraud reimbursement to be made mandatory for all banks and payment providers.”
Tesco, Santander and TSB right of replies
A Tesco Bank spokesperson said: “The security of our customers’ accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money. Not all of these controls are obvious or visible to customers, but each of them serves to protect customers and all are in line with industry standards. We use the latest technology to protect and manage the security of Online Banking and our Mobile Banking App and all our controls are constantly reviewed to ensure they remain fit for purpose, giving customers peace of mind they can bank safely and securely with us.”
A TSB spokesperson said: “TSB customers who use their mobile app already have SCA and we’re continuing to roll it out for those who use internet banking.”
A Santander spokesperson said: “Santander takes online security very seriously and we invest a great deal in cyber security and fraud prevention and ensuring we protect our customers’ money and data safely and effectively. The Which? review only focuses on the customer-facing elements of security and it is important to understand that there are many other ‘back end’ measures that we employ to ensure we keep our customers safe whilst offering optimum customer experience.”