TSB, Co-operative Bank and Lloyds have been told they need to “urgently address potential gaps” in online security regulations that could leave people vulnerable to fraudsters, according to new research.
Which one does it come in? evaluated the apps and websites of 13 current account providers in January and February 2024 with the help of computer security experts.
Researchers at the consumer group tested banking website and app security in terms of login procedures, security “best practices,” account management, navigation, and logout.
However, they were unable to test the banks’ backend security systems.
While all firms in the study used multi-layered security that helps reduce the likelihood of major security breaches, Which? He said he believed some providers at the bottom of the rankings were falling short of the standards customers should expect.
UK banks rated ‘unsafe’ for online and mobile security
TSB
TSB scored 54% for mobile app security and 67% for online security, achieving the lowest and second lowest scores respectively.
Which? He said the bank’s handling of sensitive data meant it could be read by other applications running on the phone. The consumer group expressed concern that the app stores users’ credentials in a way that makes other apps more likely to access them.
TSB told the consumer group the issue was under review and a fix would be “considered in the future”.
The bank also sends a phone number via text message, which? It is said that it can be copied by fraudsters.
“We have removed phone numbers from the majority of SMS alerts; this alert was the last in our update plan to remove the phone number,” TSB told Which?
Concerns were also raised about TSB’s password requirements, saying users could choose insecure passwords that fraudsters could easily crack.
TSB said: “We continue to strengthen the security of our internet and mobile banking while providing our customers with a positive and useful user experience. This is reflected in our high app store ratings.”
Cooperative Bank
Also Which? The Co-operative Bank came last in the online security survey with a score of 61%.
In terms of the security of its mobile application, Cooperative Bank ranked second from last with a score of 57%.
Which? He said the bank did not require two-factor authentication logins on the test laptop and did not prevent customers from setting weak passwords.
Researchers could log in from two different IP addresses at the same time without terminating the old session, and as with TSB, alerts still included phone numbers and security codes sent via SMS.
The Co-operative Bank commented: “The security of our customers’ accounts is always our top priority. Customers can rest assured that we have strong security measures in place to protect themselves and their money.
“We are constantly reviewing and improving our security controls and will introduce a further set of improvements in 2024 to give our customers peace of mind that they can continue to bank with us safely and securely.”
Do you bank at TSB? (Image: Aaron Chown/PA)
Which? He said he called on the TSB and the Co-operative Bank to urgently address the issues identified by their investigators.
Lloyds Bank
Meanwhile, Lloyds did not log out website users after five minutes of inactivity. Which one did the bank tell? This makes transactions easier for vulnerable customers.
A Lloyds Banking Group spokesman added: “Helping keep our customers’ money and data safe is our priority and we have strong, multi-layered security across our online and mobile banking services to protect against potential cybersecurity threats.
“We employ world-class experts in cybersecurity and continually invest to ensure the right balance between online security measures, customer experience and accessibility.
“Despite being written into the Payment Systems Regulatory Authority’s secure customer authentication regulations, Lloyds Banking Group has advised regulators that we will not be enforcing this for payments and logins, given that sensitive customers and businesses may need longer than this to complete payment transactions.” gave information. process.
“Logins from new devices are verified through secondary authentication on customers’ registered phones to establish trust for all devices used. Given this, there is no device that the customer does not trust.”
Starling Bank, NatWest/RBS and HSBC ranked ‘safest’ for online and mobile security
Starling Bank and NatWest/RBS ranked first according to Which? For online security, both scored 87%.
The bank that ranks highest in mobile application security is HSBC with a score of 78%.
HSBC posted solid scores for both its app and website, and researchers found no issues with logout or navigation. Which one? aforementioned.
We’ve seen some great championship runs in our 22 years as a Premier League partner ⚽
Who do you think will lift the 2023/2024 cup?
— Barclays Bank (@Barclays) April 23, 2024
It ranked second in Barclays mobile app rankings with a score of 74%, So Which One? It found that it did not address website management issues it identified last year, such as allowing users to access accounts from multiple browsers, IP addresses or devices at the same time.
Which one did the bank tell? It uses other checks to assess the risk profile of devices accessing online banking and plans to add this additional layer of protection towards the end of this year.
Recommended Resources:
Sam Richardson, deputy editor of Which? Money said: “Given that many people are increasingly banking online or over the phone, it is vital that the banks we entrust our money to have the highest level of security protection.
“Whilst our investigation found no significant security issues, there were some areas of concern that we feel the banks in question need to urgently address so that savvy fraudsters cannot exploit loopholes to target innocent victims.
“With fraudsters still after our money and a general election approaching, the next government must make tackling fraud a national priority by appointing a fraud minister to work across multiple government departments.”