The websites and mobile applications of some of the UK’s most popular retail banks are riddled with security flaws that are putting consumers at risk of falling victim to digitally enabled fraud, according to a report from consumer organisation Which?.
Out of the banks assessed by Which? and security testing specialists Red Maple, Virgin Money, Nationwide, TSB and The Co-Operative Bank scored lowest for website security, while the most secure services were offered by Starling, HSBC, NatWest and Lloyds. First Direct, Barclays and Santander all scored somewhere in the mid-range.
For mobile app security, for which Red Maple also tested US newcomer Chase, and Monzo, the worst scorers were Virgin Money, TSB and Lloyds, and the most secure HSBC, Barclays and Starling.
Banks found themselves marked down on multiple measures, including failing to block weak passwords, sending one-time passcodes and sensitive data via SMS, and whether inactive customer browser sessions timed out or not. Points were also docked for allowing account access via multiple browsers or IP addresses at once.
“Banks should not be leaving these open doors for scammers to exploit and must up their game to protect their customers properly,” said Sam Richardson, deputy editor at Which? Money.
“By making improvements, such as blocking weak passwords, banks can take an important step in preventing unscrupulous fraudsters from attempting to steal money and personal data from consumers.”
Virgin on risky
Virgin Money, which was also one of the worst-rated banks in Which?’s 2022 study, scored just 52% overall out of a possible 100% on its website, and 54% on its app. It found to have the weakest measures in place. Virgin Money failed on multiple counts but in particular on navigation and logout and account management.
Red Maple said it found a total of six outdated Virgin Money apps with potential vulnerabilities. Of particular concern, Virgin Money does not properly block weak passwords or redact phone numbers on notifications, nor does it impose security checks if an account holder wants to make a payment to somebody new, change an email address, or edit a payee’s details.
TSB, which scored 66% for its website and 57% for its app, was found to have a highly lax and outdated approach to password security, and for exposing a potentially vulnerable subdomain to the public internet. It was also docked points for still using SMS-based security, not alerting users to changes, and including phone numbers in new-payee notifications. Nationwide, which scored 63% for online and 67% for mobile banking, slipped up when it came to notifying customers of changes to details.
“The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls,” said a Virgin Money spokesperson.
“A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts.”
A TSB spokesperson said: “’We continue to invest in our online and mobile services – and work with globally leading tech firms to deliver both security and accessibility to our customers. TSB also tracks well across the industry on fraud prevention, and we are the only bank that protects its customers with a guarantee to return their money should they ever fall victim to fraud.”
A Nationwide spokesperson added: “Nationwide takes the security of its members and their money very seriously. We are never complacent and conduct regular testing of our systems to ensure that we maintain an appropriate level of protection, whilst ensuring a positive user experience. We will take the points raised by Which? on board as we continue to evolve our digital services.”
At the other end of the spectrum, Starling scored well across all categories, and was particularly commended for its joined-up approach to online and app security – it uses its app to authorise online logins and alert customers to suspicious activity. HSBC also performed consistently well, with few issues found on either its website or app.
Which? called for the retail banking sector to do more to improve cyber defences against increasingly sophisticated scammers, and is urging the industry to make improvements that would see weak passwords blocked, and a more mature approach to data sharing.