Santander, Tesco Bank and TSB have "serious vulnerabilities" in security that could leave their customers exposed to fraud, according to an investigation by consumer watchdog Which?.
Which? conducted a probe with independent security experts 6point6, scrutinising the online banking safety measures in place across the largest current account providers.
In some instances, it uncovered the potential for scammers to access information which could be used as the building blocks of a sophisticated scam, says Which?, arming a fraudster with enough sensitive information to pull off convincing cons, such as posing as a bank employee to persuade a customer to transfer money from their bank account to a fraudulent one.
Tesco Bank received the poorest rating for online security in Which?’s testing, with an overall score of just 46 per cent.
Researchers found multiple security headers missing from its webpages. It also failed to block testers from logging in to the website from two computer networks at the same time.
In addition, it failed to log out testers when switching to a different website or using the forward/back button to leave the session and return to it.
TSB finished second from bottom with a score of 51 per cent. Among the issues identified in Which? testing, the most serious was the firm’s login process, which did not meet new regulations on ‘strong customer authentication’ (SCA), introduced in March.
TSB has completed the roll out of two-factor authentication for mobile banking users, but has yet to complete the upgrade for Internet banking.
Santander rounded off the bottom three, with a score of 62 per cent. Testing found that authentication checks when logging in can be bypassed if a user designates a device as ‘trusted’. While the firm said it does ask for reauthorisation if it detects unusual activity, there’s no option to view or ‘distrust’ these devices.
At the other end of the table, Starling came out on top, with a score of 85 per cent. Experts found nothing concerning with its recently launched online banking website. This is partly due to limited functionality, as users can only change sensitive data via the app.
Barclays, HSBC and First Direct tied for second spot, with a score of 78 per cent, but had areas for improvement, says Which?.
Although each had strong login measures, testers only needed basic details to recover a Barclays membership number, and could log in using two different computer networks without being ejected from one.
In First Direct’s case, the pre-set security questions for forgotten passwords were too basic, claims Which?, while there was no alert for password changes or new payees and special characters can not be used in passwords.
Which? also asked 6point6 to test each provider’s banking app to identify potential flaws. It checked to see if firms detected testers downloading its app in an emulated device or running it on a rooted device, recently identified as a key weakeness that is being exploited by sophisticated hacking gangs.
Monzo, Nationwide and TSB failed to perform both emulator and root detection, although Monzo disagrees that this exposes its app to security weaknesses and told Which? that root and emulator detection can be unreliable.
Another test was for ‘code obfuscation’, which hides data that could be used by hackers to identify weaknesses or steal sensitive information. Virgin Money was the only bank tested where many ‘function calls’ were clearly visible. Function calls are part of the code that makes an app work and should be hidden to make life harder for attackers who might use the information to hack into a system.
Harry Rose, editor of Which? Magazine, says: “Banks must lead the battle against fraud, yet our security tests have revealed a big gap between the best and worst providers when it comes to keeping people safe from the threat of having their account compromised.
“The serious failings we have exposed with some providers reinforce the need for banks to up their game on scam protections, and for greater transparency and stronger standards on fraud reimbursement to be made mandatory for all banks and payment providers.”