An investigation by a consumer rights organization Which? revealed shortcomings in the online banking security systems of some major banks.
During her investigation of UK current account providers, conducted with 6point6 security experts, she found that these loopholes could expose customers to fraud. Who? said the findings reinforce why banks need to do more to protect their customers – and there needs to be mandatory reimbursement for victims of wire transfer scams.
The investigation ranked Tesco Bank last in terms of online security and said Santander and TSB “have security vulnerabilities that could expose their customers to fraud.”
Who? said: “While online banking is a largely secure way to manage money and this is enhanced by measures such as behavioral biometrics, Which? is concerned that the issues exposed in our survey highlight that banks could do more to put safety first. “
He said there were instances where crooks could potentially gain access to information, which could be used as part of a sophisticated scam. “They might get enough sensitive information to get compelling inconvenience, like posing as a bank clerk to persuade a customer to transfer money from their bank account to a fraudulent account,” he said. .
During Tesco Bank’s online test, researchers found missing security headers on its web pages. These, he said, protect against a range of cyber attacks by telling browsers how to behave when communicating with websites.
According to the researchers, it failed to prevent testers from connecting to the website from two computer networks at the same time and did not disconnect testers when they switched to another website or used the buttons. forward and back to exit and return to the session.
During its investigation, Which? also revealed that TSB’s login process violated new Strong Customer Authentication (SCA) regulations, introduced in March.
SCA rules mean that any online payment worth more than € 30 requires two methods of authentication from the person making the payment, such as a password, biometric authentication such as a fingerprint, or credit. a phone to identify it.
“The researchers were only asked for fixed account details, such as a name and password, which provides limited protection against attacks,” Which? Said.
The TSB said to what? that it was regulatory compliant for all new customers and that it was being rolled out for existing online and mobile customers.
Meanwhile, researchers have found that Santander’s authentication checks, upon login, can be bypassed if a user designates a device as “trusted.”
Harry Rose, Editor-in-Chief of Who? magazine, said: “Banks must lead the battle against fraud, but our security tests have revealed a significant gap between the best and the worst providers when it comes to protecting people from the threat of having their account. compromise.
“The serious shortcomings we have exposed with some vendors reinforce the need for banks to improve their game on scam protection, and for greater transparency and higher standards in fraud reimbursement. be made mandatory for all banks and payment providers. “
Challenger Starling Bank has been rated as the safest online banking experience. Barclays, HSBC and First Direct are tied for second, but which ones? said they had areas for improvement.