New Which? research finds that major high street banks have failed to adopt two-factor security steps that could safeguard their customers from scams.
Bank fraud is booming. In 2014-2015 losses soared by 64% to £133.5m for online banking and 28% to £323.3m for phone banking yet some of the major high street banks are failing to introduce security steps that could better protect their customers from falling victim to scams.
Two-factor authentication at login combines two different types of ID checks – typically something you know, such as a password or Pin, with something you have, such as a card reader or a mobile phone or device on which you get a single-use pass code. Hackers that are able to penetrate the first level of security at login can access sensitive financial details, which they can use to convince consumers they are talking to their bank – a tactic often used by scammers.
However, a Which? test of 11 high streets banks found that only five have adopted the more rigorous security checks to protect their customers. Halifax (and Bank of Scotland), Lloyds Bank, Santander and TSB have consistently scored poorly over the four years Which? has been analysing their security measures, with none offering two-factor authentication at login, despite having the technology to do so.
Alex Neill, Managing Director of Which? Home & Legal, said:
“The best banks in our test manage to use two-factor authentication without it being too onerous for their customers, so there’s no excuse for others to sacrifice security.
“Online banking is increasingly part of our daily lives and at the same time online scams are becoming more sophisticated. People can only do so much to protect themselves from fraud, it’s time for banks to shoulder more of the responsibility and introduce extra protections to safeguard their customers.”
Which? used its super-complaint powers to call on the financial regulator to investigate whether banks could do more to protect people who are tricked into transferring money to a fraudster.
To see how the 11 high street banks we tested did, consumers can view the full results of Which?’s online banking security test online.
Notes to editors
Research: In August 2016 Which? recruited volunteers with current accounts at 11 major high street banks. Banks were tested on online security features at a variety of different stages: logging in via a browser; adding a new payee and transferring money; password complexity requirements; customer facing encryption (how secure the connection is to your bank when you input your details); navigation (for example, stopping you from using the back button to access a previous secure session); and the logout process. The results were analysed by security consultancy SureCloud.
Which?’s ‘Safeguard us from Scams’ campaign is calling on the Government’s Joint Fraud Taskforce to: Examine whether companies are taking enough responsibility when their customers are defrauded; investigate what improvements should be made to the processes, systems and practices firms use to prevent fraud, and recommend, by the end of the year, how companies can better protect their customers from fraud.
Barclays response: “We have no higher priority than the protection of our customers’ funds and data. Customers can be reassured that the digital banking services they use carries the highest level of recognise cyber security protection. We strive to provide our customers with a great digital experience with the highest high level security that doesn’t impact the ability to access their funds. All of our customers can access Internet Security from Kaspersky for free to ensure they are fully protected from online threats to their identity and money.”
HSBC response: “We take the security of our customers extremely seriously and use state-of-the-art technology to deter and detect financial crime. HSBC uses a variety of security measures to protect customers when banking online, including password protection and advanced encryption technology, as well as sophisticated anti-fraud monitoring. Two factor authentication and a one-time password is required to access high risk transaction types within online banking services, protecting our customers from fraudulent activity. HSBC customers are also provided with anti-virus software.”
Lloyds response: “The findings [of this research] do not provide provide an accurate reflection of the highly sophisticated security our customers benefit from that is undetectable in this research. We don’t consider the results accurately reflect these factors which have a material impact on how we protect our customers’ daily needs.”
NatWest response: “We take the online security of our customers very seriously, We have a layered security model that incorporates a number of different controls working in the background in addition to the information a customer enters at login.”
TSB response: “Customers are at the very forefront of everything we do at TSB, and we take their safety and security very seriously. It is our number one priority to offer safe and secure banking facilities for our customers across all of our products and services. To achieve this we maintain complex and multilayered fraud prevention controls which will not be visible to the customer – or reflected in this survey. We continually review and improve our services to ensure they remain robust and fit for purpose.”