Banks put customers at “risk of fraud” with outdated online security

Person using phone text code to log in to site – Yiu Yu Hoi/Getty Images

According to a study, banks put customers at risk of fraud by sending security codes via SMS.

In a study of 13 checking account providers, Which? found that many sent a one-time passcode via text message, although the consumer group said it was the most insecure way to authenticate customers as criminals increasingly intercepted such texts.

Instead, the group gave top marks to banks that asked customers to log in with a card reader or their mobile banking app every time.

It identified the vulnerability as one of a series of vulnerabilities in the websites and apps of some of the largest banks, putting consumers at increased risk of falling victim to fraud.

Insecure passwords, lax checks on new payees, and vulnerable login processes were among the vulnerabilities found by the consumer group.

Fraud costs £85m in six months

It follows reports of 29,102 remote banking scams worth almost £85m to UK Finance, the industry body, in the first half of 2022.

For research, Which? tested customer-facing security systems from 13 current account providers from September to November 2022 with the help of independent security experts from Red Maple Technologies.

Banks were rated across four key categories — login, navigation and logout, account management, and encryption — for both their online banking security and app security.

Among other things, banks were penalized for not adequately blocking weak passwords, sending one-time passwords or other sensitive information via text messages, which is the least secure approach, and not logging customers out after five minutes of inactivity.

For logins – which includes verifying passwords and passcode processes – HSBC led the ranking with five stars out of five, followed by Starling, Lloyds, First Direct, Nationwide and Virgin Money with four stars. TSB, Santander, Barclays and NatWest received three stars.

Virgin Money received the lowest overall scores for online (52 percent) and app banking (54 percent). The study found six outdated Virgin Money web applications that had potential vulnerabilities.

Virgin Money failed to adequately block weak passwords and remove phone numbers from notifications, the investigation found. It also found that there were no security checks to repay someone, change an email address, or edit a payee’s details.

‘Robust, multi-layered controls’

A Virgin Money spokesman said: “The security of our banking services is our top priority and we continuously monitor, evaluate and improve our security controls.

“Some of the issues raised in this study relate to choices we’ve made to enhance the digital user experience while ensuring our robust, multi-layered controls to protect customer accounts remain in place.”

TSB earned the second-lowest score for its app, at 57 percent, but scored slightly higher for its online offering, at 66 percent.

Which? said it still asks basic security questions, such as B. “Name your favorite food” to restore the login data. It also failed to block weak passwords and only required six characters. There was also a potentially vulnerable subdomain, which TSB says will be removed in 2023, and two deprecated web applications.

TSB also lost points for using SMS-based security, sending out alerts for sensitive account changes, and including phone numbers in notifications for new payees.

A spokesman for TSB said: “We continue to invest in our online and mobile services – and work with world-leading technology companies to offer our customers both security and accessibility.

“TSB is also well positioned in the industry for fraud prevention, and we are the only bank that protects its customers with a money-back guarantee if they are ever the victim of fraud.”

Source