According to a new study, customers of online banks are exposed to worrying risks of fraud.
Consumer group Which? urged providers to “up their game” by using the latest protections for their websites and not allowing customers to set insecure passwords.
It conducted a survey with security firm 6point6, testing the security of online and mobile applications from 15 major current account providers on a range of criteria, including encryption and protection, login, management and browsing of accounts.
Six banks – HSBC, NatWest, Santander, Starling, the Co-operative Bank and Virgin Money – allow people to choose passwords that include their first and/or last name.
Santander said which one? this is being phased out, while NatWest and Virgin Money said it may now increase password limitations.
The TSB, Lloyds, Metro, Nationwide, Santander and Co-operative Bank also used text messages to verify people when connecting, leaving messages at risk of being hacked by cybercriminals.
Santander and the Co-operative Bank said which one? they were trying to get away from it.
Which? also claimed that Nationwide, TSB and Virgin Money do not use software to ensure that fake messages sent by potential scammers are blocked or quarantined by someone’s email provider.
The TSB said it had since introduced this protection, while Virgin Money said it was in the process of doing so. Nationwide said it has “a range of email security controls” to protect members.
HSBC came out on top for online banking security, earning five stars for website encryption and account management. First Direct, which is a division of HSBC UK, was ranked first for mobile app security.
Metro Bank was ranked low for online security, while Monzo was ranked low for mobile app security.
Which? Monzo said it’s not asking people to log in every time, with the bank saying it was a “conscious design decision to balance risk and customer experience.”
A Monzo spokesperson said: “We strongly disagree with this assessment – given that every sensitive action or payment requires a customer to provide additional authentication in the form of a PIN or biometric data, the risk associated with staying logged into the Monzo app is extremely low.
“We take security extremely seriously and focus on the policies and practices that we believe are the most secure for Monzo customers.”
Metro Bank also said: “We take the security of our customers very seriously and have implemented a range of protections across all channels to help them defend against fraud.
“In addition to visible controls, we have background controls that support our customer journeys and provide invisible protection. We are continually evaluating and developing our controls to prevent fraud.
Which? said the criteria reviewed included encryption and protection, logging in, account management, and browsing.
He said that every bank and building society has security processes behind the scenes and that is not possible for whom? to legally test them.
Which? Money editor Jenny Ross said: ‘Banks must fight the battle against fraud, but our security tests have revealed worrying flaws when it comes to protecting people from the threat of seeing their compromised account.
“Our research reinforces the need for banks to up their game in the fight against fraud by using the latest protections for their websites and not allowing customers to set insecure passwords – we also want banks stop sending sensitive data to customers via text messages, as this could leave the door open to fraudsters.
The banks have stressed that security is a top priority.
The TSB said it has several security features that are not factored into the results and pointed to its money-back guarantee in the event of fraud.
Virgin Money said: “The safety and security of our banking services is our top priority and we continually monitor, assess and improve our security controls.”
Co-operative Bank said it is continually reviewing controls to maintain the security of banking operations.
HSBC Group said: “We are deploying advanced cybersecurity controls and identifying and responding to threats in a timely manner.
Lloyds Banking Group said: “We have robust, multi-layered security across online and mobile banking to protect against cybersecurity threats. We employ world-class experts in the field of cybersecurity.
Nationwide said, “We employ round-the-clock defenses to monitor our systems and look for suspicious activity.”
NatWest Group said: “We continue to invest in our digital security capabilities, leveraging market-leading technologies – for example, multi-factor authentication and our work on biometrics – to deliver simple and secure banking services. to our customers”.
Santander said it continues to “invest heavily to ensure the safety of our customers”.
Starling Bank said it has integrated security technology into its app and systems “to provide customers with an easy-to-use, secure and seamless experience.”
Don’t miss the latest headlines with our twice-daily newsletter – subscribe here for free.