Bank security breaches leaving customers open to crooks

Consumer group Which one? discovered loopholes in online banking security systems that could expose customers to fraud, with some banks not using the latest protections for their websites and allowing users to set insecure passwords.

With internet banking fraud cases up 97% in the first half of 2021, the consumer champion fears too many banks are still neglecting important security protections.

Which? conducted a survey with independent security experts 6point6, testing the security of the online and mobile applications of the top 15 current account providers on a range of criteria, including encryption and protection, login, management and browsing accounts.

Metro Bank received the lowest score for online security in Which? Tests, with an overall score of just 53%. It was joined in the bottom three by Virgin Money (56%) and TSB (59%).

Banks now need to perform additional checks to verify customer identities because passwords can be easily guessed or stolen, but which one? found security holes in several banks during the login process.

Triodos Bank allows customers to set insecure security words, including “password”, “1234567” and “admin”. The risk is mitigated by two-factor authentication when logging in using their physical device “Digipass”, but “there is no excuse for a bank to allow such weak credentials”, Which? declares.

Six banks – HSBC, NatWest, Santander, Starling, The Co-operative Bank, and Virgin Money – allow users to choose passwords that include their first and / or last name. Santander told who? this is being phased out and NatWest and Virgin Money have said they may increase password limitations after the investigation.

TSB, Lloyds, Metro, Nationwide, Santander, and The Co-operative Bank also always use SMS to verify people when logging in, leaving messages at risk of being hijacked by cybercriminals. Santander and The Co-operative Bank told Which? that they are looking to move away from texting.

Which? identified potential weaknesses in subdomains of Metro Bank’s website that could allow hackers to compromise the server. Testers found similar issues with First Direct and Lloyds. First Direct fixed the vulnerability as soon as Which? reported this and Lloyds said its subdomain was in the process of being taken out of service and “poses no security risk.”

The testers also found two missing security headers on the Metro Bank website. These are important because they protect against a range of cyber attacks by telling browsers how to behave when communicating with the website.

Which? found that Nationwide, TSB, and Virgin Money did not use software to ensure that fraudulent messages sent by potential scammers are blocked or quarantined by email providers. The TSB said to what? it has since introduced this protection. Virgin Money said it was in the works. Nationwide said it maintains “a range of email security controls” to protect members.

At the other end of the table, HSBC leads the way with a score of 81 percent. It was the only bank to achieve five stars for both website encryption and account management. It has been rated A + for encryption strength because it supports the latest encryption standards.

Which? also asked 6point6 to test each vendor’s banking application to identify potential vulnerabilities. Monzo was the lowest rated app she tested with some margin. It is the only provider that does not ask the user to log in every time. He said it was a “conscious design decision to strike a balance between risk and customer experience.”

Lloyds, Nationwide, Santander and TSB lost points because online and mobile banking services require the same login credentials.

Jenny Ross, which one? Money Editor says, “Our security tests revealed worrying flaws when it comes to protecting people from the threat of having their accounts compromised.

“Our research reinforces the need for banks to improve their level of fraud prevention by using the latest protections for their websites and by not allowing customers to set insecure passwords. We also want banks to stop sending sensitive data to customers by text message, as this could leave the door open for fraudsters. ”