A new Which? investigation has uncovered worrying gaps in online banking security systems that could help criminals to scam customers, reinforcing why banks must do more to protect their customers and reimbursement of bank transfer scam victims must be made mandatory.
Which? conducted an investigation with independent security experts 6point6, scrutinising the online banking safety measures in place across the largest current account providers.
The consumer champion’s investigation found that some of the biggest banks, such as Santander, Tesco Bank and TSB, have concerning vulnerabilities in security that could leave their customers exposed to fraud.
While online banking is a largely safe way to manage money and this is being enhanced by measures such as behavioural biometrics, where firms analyse the unique way you hold a device, to stop fraud, Which? is concerned that the issues exposed by it’s investigation highlight that banks could do more to prioritise security above all else.
In some of these instances, there is the potential for scammers to access information which could be used as the building blocks of a sophisticated scam – arming a fraudster with enough sensitive information to pull off convincing cons, such as posing as a bank employee to persuade a customer to transfer money from their bank account to a fraudulent one.
Many victims of these scams – which potentially have lax bank security measures at their heart – then face a double blow as some banks disregard the obligations to reimburse victims that they signed up to last year.
Tesco Bank received the poorest rating for online security in Which?’s testing, with an overall score of just 46 per cent.
Researchers found multiple security headers missing from its webpages. These are important as they protect against a range of cyberattacks, by telling your browser how to behave when it communicates with the website. It also failed to block testers from logging in to the website from two computer networks at the same time.
In addition, it failed to log out testers when switching to a different website or using the forward/back button to leave the session and return to it.
TSB finished second from bottom with a score of 51 per cent. Among the issues identified in Which? testing, the most serious was the firm’s login process, which did not meet new regulations on ‘strong customer authentication’ (SCA), introduced in March.
When Which? reported TSB’s non-compliance to the Financial Conduct Authority (FCA), it told the consumer champion that it doesn’t comment on specific firms and would not confirm how many firms have been granted an effective SCA extension in relation to online banking.
To gain access, researchers were only asked for fixed account details such as a name and password, which gives limited protection against attacks. Under the regulation, banks must add an extra layer of identification checks to confirm it is the customer logging into the online account.
TSB told Which? in November 2020 that it is compliant with the regulation for all new customers and that SCA is being rolled out for existing online and mobile customers, but could not say when this will be completed.
The forced upgrade has since been completed for mobile app users but is still being rolled out for online banking users.
TSB customers do at least enjoy some peace of mind due to the bank’s fraud refund guarantee, which ensures the vast majority of scam victims get their money back.
Santander rounded off the bottom three, with a score of 62 per cent. Testing found that authentication checks when logging in can be bypassed if a user designates a device as ‘trusted’. While the firm said it does ask for reauthorisation if it detects unusual activity, there’s no option to view or ‘distrust’ these devices.
At the other end of the table several banks did demonstrate strong security measures.
Starling came out on top, with a score of 85 per cent. Experts found nothing concerning with its recently launched online banking website. This is partly due to limited functionality, as users can only change sensitive data via the app.
Unlike most banks, there were no issues with missing security headers and it scored top marks for encryption.
Barclays, HSBC and First Direct tied for second spot, with a score of 78 per cent, but had areas for improvement.
Although each had strong login measures, testers only needed basic details to recover a Barclays membership number, and could log in using two different computer networks without being ejected from one.
In First Direct’s case, the pre-set security questions for forgotten passwords were too basic, while there was no alert for password changes or new payees and special characters can not be used in passwords.
Which? also asked 6point6 to test each provider’s banking app to identify potential flaws. It checked to see if firms detected testers downloading its app in an emulated device or running it on a rooted device.
Emulated devices are used by developers for testing – and by fraudsters to discover weaknesses. A rooted device is one where the device is ‘jailbroken’ to bypass the operating system’s restrictions, making it easier for hackers to steal information from banking apps.
Monzo, Nationwide and TSB failed to perform both emulator and root detection, although Monzo disagrees that this exposes its app to security weaknesses and told Which? that root and emulator detection can be unreliable.
Another test was for ‘code obfuscation’, which hides data that could be used by hackers to identify weaknesses or steal sensitive information. Virgin Money was the only bank tested where many ‘function calls’ were clearly visible. Function calls are part of the code that makes an app work and should be hidden to make life harder for attackers who might use the information to hack into a system.
Many of the banks included in Which?’s investigation are signed up to the industry code on bank transfer scams, which pledges to reimburse scam victims who are not at fault.
However, the number of victims who get their money returned by banks is worryingly low, standing at around the 40 per cent mark. Because firms apply the code inconsistently and are not required to publish their reimbursement rates, scam victims face a lottery when it comes to getting their money back.
The consumer champion is calling for the voluntary bank transfer scams code to be overhauled so that stronger consumer protections and reimbursement for scam victims become mandatory for all banks and payment providers. The regulator should also be required to regularly publish reimbursement rates of individual banks so consumers can check on their account provider’s performance.
Harry Rose, Editor of Which? Magazine, said:
“Banks must lead the battle against fraud, yet our security tests have revealed a big gap between the best and worst providers when it comes to keeping people safe from the threat of having their account compromised.
“The serious failings we have exposed with some providers reinforce the need for banks to up their game on scam protections, and for greater transparency and stronger standards on fraud reimbursement to be made mandatory for all banks and payment providers.”
Which? worked with independent security experts 6point6 to rate the largest current-account providers on four main criteria: encryption (40%), login (30%), account management (15%) and navigation (15%).
Encryption: We checked if best practice security headers are in place and looked at whether banks support outdated versions of ‘Transport Layer Security’ or have weak ciphers.
We searched for domains running outdated – and therefore potentially vulnerable – software. And we noted where scripts were loaded from external sources. We prefer this to be kept to a minimum because, while banks have rigorous due-diligence processes, hackers might compromise third parties.
Login: We rated banks on the information required to access accounts and how easy it is to recover usernames or passwords. Passwords alone aren’t secure. We awarded top marks if banks ask customers to use a card reader or their mobile banking app to log in every time.
Many of them send a one-time passcode (OTP) via text, however we view this as the least secure way to authenticate customers because criminals are increasingly intercepting such texts.
Account management: Setting up a new payee and editing account details should require additional checks to verify it’s really you making changes. We want banks to send notifications when details are altered to alert you to a potential breach. We marked them down if these messages included a phone number or web link, as scammers often replicate texts and emails to trick you into calling them or entering your details on a fake website. If banks never included numbers or links in communications, it would make scam attempts easier to spot.
Banks were penalised if they let us log in from multiple browsers or computer networks at the same time – this should be flagged as a potential attack – or if they allowed us to click forward and back in the browser. Banks should also log you out after five minutes of inactivity, but not all of them did in our test.
We also want them to implement one-click logout rather than ask you to confirm the decision first. The latter request does meet current industry guidance, but we think it’s safer to instantly close the session.
Tesco, Santander and TSB right of replies
A Tesco Bank spokesperson said: “The security of our customers’ accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money. Not all of these controls are obvious or visible to customers, but each of them serves to protect customers and all are in line with industry standards. We use the latest technology to protect and manage the security of Online Banking and our Mobile Banking App and all our controls are constantly reviewed to ensure they remain fit for purpose, giving customers peace of mind they can bank safely and securely with us.” A TSB spokesperson said: “TSB customers who use their mobile app already have SCA and we’re continuing to roll it out for those who use internet banking.” A Santander spokesperson said: “Santander takes online security very seriously and we invest a great deal in cyber security and fraud prevention and ensuring we protect our customers’ money and data safely and effectively. The Which? review only focuses on the customer-facing elements of security and it is important to understand that there are many other ‘back end’ measures that we employ to ensure we keep our customers safe whilst offering optimum customer experience.”
Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful.