mtkang - stock.adobe.com

Which? online banking investigation reveals ‘worrying gaps’ in security

Consumer rights organisation has ranked the security of UK online current account providers

An investigation by consumer rights organisation Which? has revealed gaps in online banking security systems at some major banks.

During its investigation of current account providers in the UK, conducted with security experts 6point6, it found that these gaps could leave customers exposed to fraud. Which? said the findings reinforce why banks must do more to protect their customers – and there must be mandatory reimbursement for victims of bank transfer scams.

The investigation ranked Tesco Bank bottom in terms of online safety and said Santander and TSB “have concerning vulnerabilities in security that could leave their customers exposed to fraud”.

Which? said: “While online banking is a largely safe way to manage money and this is being enhanced by measures such as behavioural biometrics, Which? is concerned that the issues exposed in our investigation highlight that banks could do more to prioritise security above all else.”

It said there were instances where scammers could potentially access information, which could be used as part of a sophisticated scam. “They could gain enough sensitive information to pull off convincing cons, such as posing as a bank employee to persuade a customer to transfer money from their bank account to a fraudulent one,” it said.

When testing Tesco Bank online, researchers found security headers missing from its webpages. These, it said, protect against a range of cyber attacks by telling browsers how to behave when communicating with websites.

According to researchers, it failed to block testers from logging in to the website from two computer networks at the same time and did not log out testers when switching to another website or using the forward and back buttons to leave the session and return to it.

During its investigation, Which? also revealed that TSB’s login process did not meet new regulations on strong customer authentication (SCA), introduced in March.

SCA rules mean that any online payments worth more than €30 require two methods of authentication from the person making the payment, such as a password, biometric authentication such as a fingerprint, or having a phone that can identify them.

Read more about strong customer authentication

“Researchers were only asked for fixed account details, such as a name and password, which gives limited protection against attacks,” said Which?.

TSB told Which? that it was compliant with the regulation for all new customers and that it was being rolled out for existing online and mobile customers.

Meanwhile, researchers found that Santander authentication checks, when logging in, can be bypassed if a user designates a device as “trusted”.

Harry Rose, editor of Which? magazine, said: “Banks must lead the battle against fraud, yet our security tests have revealed a big gap between the best and worst providers when it comes to keeping people safe from the threat of having their account compromised.

“The serious failings we have exposed with some providers reinforce the need for banks to up their game on scam protections, and for greater transparency and stronger standards on fraud reimbursement to be made mandatory for all banks and payment providers.”

Challenger bank Starling was deemed the safest online banking experience. Barclays, HSBC and First Direct ranked equal second, but Which? said they had areas for improvement.

Read more on IT for financial services