Some UK banks are letting their customers down with poor authentication and web security issues, according to a consumer rights group.
Which? again teamed up with independent security consultants 6point6 to assess the front-end security of 15 current account providers. He looked at four criteria: encryption and protection, connection, account management, and browsing.
The report found that while all lenders followed Strong Customer Authentication (SCA) rules as set out in European banking regulations, some exposed their customers to SIM card swapping attacks.
Indeed, they used two-factor verifications via SMS, which hackers can intercept if they tricked the victim’s network operator into transferring their mobile number to a SIM card under the control of the attacker.
Lloyds, Metro, Nationwide, TSB, Santander and The Co-operative Bank all lost points in the tests for this, although the latter two claimed they were “looking to get away from texting”, according to Which ?.
The report also highlighted issues with insecure passwords.
“We were shocked to find that Triodos allowed customers to set insecure security words, including ‘password’, ‘1234567’ and ‘admin’. The risk is mitigated by two-factor authentication upon login (using their physical ‘Digipass’ device), but there is no excuse for a bank to allow such weak credentials” , he argued.
“Six banks (HSBC, NatWest, Santander, Starling, The Co-operative Bank and Virgin Money) allow you to choose passwords that include your first and/or last name. Santander told us that this is in the process of being be removed, and NatWest and Virgin Money said they may increase password limits after our investigation.
Virgin Money has also been singled out for allowing researchers to create a new payee without additional security measures.
The report also revealed three banks with vulnerable subdomains that could potentially be compromised, and a banking app that doesn’t require users to log in every time.
Overall, HSBC came out on top in online banking security tests with a score of 81%, and First Direct ranked first for mobile banking security, with a score of 77%.