Banks Urged to Address Security Loopholes After Which? Investigation
Consumer watchdog Which? has sounded the alarm over security vulnerabilities in the online banking platforms of certain banks, emphasizing the urgent need for action to safeguard customers against fraud.
A comprehensive investigation conducted by Which? revealed potential loopholes that could compromise user accounts, highlighting concerns over the security measures employed by 13 current account providers. TSB and The Co-operative Bank were identified as having particularly weak security protocols, while Starling Bank and NatWest/RBS emerged as industry leaders in online security.
The assessment, carried out earlier this year with the assistance of cybersecurity specialists, meticulously evaluated the security of banking websites and apps, focusing on login procedures, adherence to security best practices, account management, navigation, and logout processes. However, the researchers were unable to probe the banks’ internal security infrastructure.
Despite the implementation of multi-layered security measures by all firms, Which? expressed concerns that some banks, particularly those with lower rankings in their assessment, were not meeting the high standards that customers deserve.
TSB’s Security Concerns
TSB’s mobile app security was rated at a mere 54 percent by Which?, while its online security fared slightly better at 67%, placing it as the lowest and second-lowest in these categories respectively.
Which? highlighted worrying practices at TSB, such as the way sensitive data is handled, potentially allowing other phone apps to read it. The group also flagged issues with how the app stores user credentials, possibly increasing the risk of access by malicious apps.
TSB has acknowledged the concerns raised by Which? and stated that the issue is being reviewed, with a potential fix to be “considered in the future”.
Co-operative Bank’s Security Shortcomings
The Co-operative Bank was ranked last in Which?’s study examining online security, garnering a score of 61 percent. When it came to mobile app security, the Co-operative Bank scored just 57 percent, placing it second to last.
Which? critiqued the bank for not implementing a two-factor authentication login on a testing laptop, and not preventing the use of simple passwords. Researchers noted that they could log into the same account from multiple IP addresses without the previous session ending. Additionally, like TSB, there were still phone numbers included in alerts and text-based security codes.
Responding to the criticisms, The Co-operative Bank declared: “The security of our customers’ accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money.”
“We are constantly reviewing and enhancing our security controls and we will be delivering a number of further improvements in 2024 to give our customers peace of mind that they can continue to bank safely and securely with us.”
Call for Urgent Action
Which? has expressed concerns over the issues found at TSB and the Co-operative Bank, calling for an urgent review and rectification.
Deputy Editor of Which? Money, Sam Richardson, commented: “With many people increasingly banking online or on their phones, it’s crucial that the banks we trust with our money have security protections that are up to scratch.”
Richardson further noted: “While our investigation found no major security issues, there were some areas of concern that we think the banks in question need to urgently address, so that sophisticated scammers can’t use loopholes to target innocent victims.”
He also stressed the importance of prioritizing fraud prevention, especially with the general election on the horizon, calling for the next government to appoint a dedicated fraud minister to spearhead efforts across various departments.
A representative for industry body UK Finance stated: “Fraud has a devastating impact on victims, so the banking and finance industry’s primary focus is always on stopping fraud from happening in the first place. To do so, the industry invests heavily in cyber security and data sharing, seeking to detect and prevent malicious actors from infiltrating systems, stealing data, and committing fraud.”
“As the fraud landscape evolves, banks update and reinforce security measures on their platforms to mitigate potential threats, whilst maintaining a positive user experience for customers.”
“We encourage customers to be alert to potential threats of fraud and always use secure passwords, avoid sharing one-time passcodes and personal and financial information. If you think you’ve fallen for a scam it’s important to contact your bank immediately, and report it to Action Fraud.”
