Consumer group Which? has highlighted deficiencies in online banking security that may leave customers vulnerable to fraud. Their investigation reveals that some banks are not implementing the latest protections for their websites and are allowing users to create insecure passwords.
With internet banking fraud incidents rising by 97% in the first half of 2021, Which? has expressed concern that too many banks are failing to prioritize essential security measures. The organization worked alongside independent security experts from 6point6 to assess the online and mobile app security of the 15 largest current account providers based on criteria such as encryption, login, and account management.
Metro Bank received the lowest score for online security, achieving only 53%. It was joined at the bottom by Virgin Money (56%) and TSB (59%). Although banks are required to implement additional identity verification checks due to the ease with which passwords can be guessed or stolen, Which? found multiple security vulnerabilities during the login processes at several banks.
For instance, Triodos Bank permits customers to set weak security words, such as “password” and “1234567.” While they use a two-factor authentication system with a physical ‘Digipass’ device to mitigate the risk, Which? stated, “There is no excuse for a bank to allow such weak credentials.”
Several banks, including HSBC, NatWest, Santander, Starling, The Co-operative Bank, and Virgin Money, permit users to select passwords based on their first name or surname. In response to the findings, Santander announced plans to phase this out, while NatWest and Virgin Money indicated they might tighten password guidelines.
Additionally, TSB, Lloyds, Metro, Nationwide, Santander, and The Co-operative Bank continue to rely on SMS texts for identity verification during login—a method that can be compromised by cybercriminals. Both Santander and The Co-operative Bank indicated they are exploring alternatives to SMS verification.
Which? also identified vulnerabilities in Metro Bank’s website subdomains that could allow hackers to breach the server. Similar issues were found with First Direct and Lloyds. Following the report, First Direct addressed the vulnerability, while Lloyds stated that its subdomain was being decommissioned.
Metro Bank was noted for missing two critical security headers, which are essential for protecting against various cyber threats. Nationwide, TSB, and Virgin Money were found not to be using software that blocks or quarantines spoofed messages from scammers, although TSB has since implemented this protection, and Virgin Money is working on it. Nationwide asserted that it employs multiple email security controls to protect its members.
On a positive note, HSBC emerged as the top performer, scoring 81%. It was the only bank to achieve five stars for website encryption and account management, receiving an A+ rating for its cipher strength, which indicates compliance with the latest encryption standards.
In addition to website assessments, Which? asked 6point6 to evaluate each provider’s banking app for vulnerabilities. Monzo scored the lowest among the apps tested, primarily because it does not require users to log in every time. The bank stated this was a deliberate design choice to balance risk with user experience.
Lloyds, Nationwide, Santander, and TSB lost points due to the requirement that online and mobile banking utilize the same login credentials.
Jenny Ross, Which? Money Editor, commented, “Our security tests have revealed worrying flaws when it comes to keeping people safe from the threat of having their account compromised. Our research underscores the urgent need for banks to enhance their fraud prevention measures by employing the latest protections for their websites and discontinuing the use of insecure passwords. We also urge banks to eliminate SMS as a method for sending sensitive information to customers to reduce the risk of fraud.”