/security

News and resources on cyber and physical threats to banks and fintechs worldwide.

Which? investigation finds worrying gaps in bank security systems

Santander, Tesco Bank and TSB have "serious vulnerabilities" in security that could leave their customers exposed to fraud, according to an investigation by consumer watchdog Which?.

  2 1 comment

Which? investigation finds worrying gaps in bank security systems

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

Which? conducted a probe with independent security experts 6point6, scrutinising the online banking safety measures in place across the largest current account providers.

In some instances, it uncovered the potential for scammers to access information which could be used as the building blocks of a sophisticated scam, says Which?, arming a fraudster with enough sensitive information to pull off convincing cons, such as posing as a bank employee to persuade a customer to transfer money from their bank account to a fraudulent one.

Tesco Bank received the poorest rating for online security in Which?’s testing, with an overall score of just 46 per cent.

Researchers found multiple security headers missing from its webpages. It also failed to block testers from logging in to the website from two computer networks at the same time.

In addition, it failed to log out testers when switching to a different website or using the forward/back button to leave the session and return to it.

TSB finished second from bottom with a score of 51 per cent. Among the issues identified in Which? testing, the most serious was the firm’s login process, which did not meet new regulations on ‘strong customer authentication’ (SCA), introduced in March.

TSB has completed the roll out of two-factor authentication for mobile banking users, but has yet to complete the upgrade for Internet banking.

Santander rounded off the bottom three, with a score of 62 per cent. Testing found that authentication checks when logging in can be bypassed if a user designates a device as ‘trusted’. While the firm said it does ask for reauthorisation if it detects unusual activity, there’s no option to view or ‘distrust’ these devices.

At the other end of the table, Starling came out on top, with a score of 85 per cent. Experts found nothing concerning with its recently launched online banking website. This is partly due to limited functionality, as users can only change sensitive data via the app.

Barclays, HSBC and First Direct tied for second spot, with a score of 78 per cent, but had areas for improvement, says Which?.

Although each had strong login measures, testers only needed basic details to recover a Barclays membership number, and could log in using two different computer networks without being ejected from one.

In First Direct’s case, the pre-set security questions for forgotten passwords were too basic, claims Which?, while there was no alert for password changes or new payees and special characters can not be used in passwords.

Which? also asked 6point6 to test each provider’s banking app to identify potential flaws. It checked to see if firms detected testers downloading its app in an emulated device or running it on a rooted device, recently identified as a key weakeness that is being exploited by sophisticated hacking gangs.

Monzo, Nationwide and TSB failed to perform both emulator and root detection, although Monzo disagrees that this exposes its app to security weaknesses and told Which? that root and emulator detection can be unreliable.

Another test was for ‘code obfuscation’, which hides data that could be used by hackers to identify weaknesses or steal sensitive information. Virgin Money was the only bank tested where many ‘function calls’ were clearly visible. Function calls are part of the code that makes an app work and should be hidden to make life harder for attackers who might use the information to hack into a system.

Harry Rose, editor of Which? Magazine, says: “Banks must lead the battle against fraud, yet our security tests have revealed a big gap between the best and worst providers when it comes to keeping people safe from the threat of having their account compromised.

“The serious failings we have exposed with some providers reinforce the need for banks to up their game on scam protections, and for greater transparency and stronger standards on fraud reimbursement to be made mandatory for all banks and payment providers.”

Sponsored [Webinar] PREDICT 2025: The Future of AI in the US

Comments: (1)

Michael Fuller

Michael Fuller Former Retail Banker at None

It's a pity that Which? still seem to be advocating use of complex passwords by criticising the inability of some systems to accept special characters. Indeed it's disappointing that passwords are even being used at all when 15 years ago Bill Gates suggeted they were not up to the challenge of keeping information secure.

I find the NCSC guidance on passwords refreshing and would much prefer to use a phrase like "Your complex password requirement is stupid" than be forced to remember something artificail and complex like Az9Wp£!eeN7 (I can't remember that of course so will be forced to write it down or just use the "forgotten password" option when I log on).

https://www.ncsc.gov.uk/collection/passwords

The place for special characters in in the online chat or messaging service where any use of more than basic punctuation usually causes it to fall over.

And why I am I forced to change my password reguarly on some systems? I log in to my Bank's Pension site once a year to check how much my payment has altered yet the password policy forces me to change my password every three months! Daft and wholly counter productive.

[On-Demand Webinar] AI in Banking: Building Compliant and Safe Enterprise AI at ScaleFinextra Promoted[On-Demand Webinar] AI in Banking: Building Compliant and Safe Enterprise AI at Scale