Which?: Banks exposing customers to fraud risk through online security flaws

Consumer champion Which? has uncovered worrying flaws in online banking security systems that could leave customers exposed to fraud, with some banks failing to use the latest protections for their websites and allowing users to set insecure passwords.

Which?: Banks exposing customers to fraud risk through online security flaws

With cases of internet banking fraud up 97% in the first half of 2021, Which? has highlighted concerns that too many banks are still neglecting important security protections.
Which? conducted an investigation with independent security experts 6point6, testing the online and mobile app security of the 15 largest current account providers on a range of criteria including encryption and protection, login, and account management and navigation.

Metro Bank received the lowest score for online security in Which?’s testing, with an overall score of just 53 per cent. It was joined in the bottom three by Virgin Money (56%) and TSB (59%).



Banks must now carry out extra checks to verify customer identity as passwords can be easily guessed or stolen, but Which? found security flaws at several banks during the login process. Triodos Bank allows customers to set insecure security words, including ‘password’, ‘1234567’ and ‘admin’. The risk is mitigated by a two-factor authentication at login (using its physical ‘Digipass’ device) but there is no excuse for a bank to allow such weak credentials.

Six banks comprising of  HSBC, NatWest, Santander, Starling, The Co-operative Bank, and Virgin Money let you choose passwords that include your first name and/or surname. Santander told Which? this is being phased out and NatWest and Virgin Money said they might increase password limitations after the investigation.

TSB, Lloyds, Metro, Nationwide, Santander and The Co-operative Bank also all still use SMS texts to verify you when you log in, leaving messages at risk of being hijacked by cybercriminals. Santander and The Co-operative Bank told Which? that they are looking to move away from SMS.

Which? identified potential weaknesses in subdomains of Metro Bank’s website which could allow hackers to compromise the server. Testers found similar issues with First Direct and Lloyds. First Direct addressed the vulnerability as soon as Which? reported it and Lloyds said its subdomain was in the process of being decommissioned and ‘poses no security risk’.

Testers also found two security headers missing from Metro Bank’s website. These are important as they protect against a range of cyberattacks by telling your browser how to behave when it communicates with the website.

Which? found that Nationwide, TSB and Virgin Money were failing to use software that ensures spoof messages sent by potential scammers are blocked or quarantined by your email provider. TSB told Which? it has since introduced this protection. Virgin Money said this is in the works. Nationwide said it operates ‘a range of email security controls’ to protect members.

At the other end of the table, HSBC came out on top, with a score of 81 per cent. It was the only bank to score five stars for both website encryption and account management. It was rated A+ for cipher strength because it supports the latest encryption standards.

Which? also asked 6point6 to test each provider’s banking app to identify potential flaws. Monzo was the lowest-scoring app it tested by some margin. It is the only provider that does not ask you to log in every time. It said this is a ‘conscious design decision to strike a balance between risk and customer experience’.

Lloyds, Nationwide, Santander, and TSB dropped points because online and mobile banking require the same login credentials – Which? would prefer banks to ask for app-specific passcodes.

While online banking is a largely safe way to manage money, scammers are upping their game and the industry needs to keep pace.

That is why Which? is calling for banks to work much harder to upgrade online security so they are providing high levels of protection for customers.

If a fraudster does breach your bank’s defences and you lost money as a result, you have a legal right to a refund from your bank – unless it can demonstrate that you were ‘grossly negligent’ – in other words, unusually careless with your security details.

Jenny Ross, Which? money editor, said: “Banks must lead the battle against fraud, yet our security tests have revealed worrying flaws when it comes to keeping people safe from the threat of having their account compromised.

“Our research reinforces the need for banks to up their game on tackling fraud by using the latest protections for their websites and not allowing customers to set insecure passwords. We also want banks to stop sending sensitive data to customers via SMS texts as this could leave the door open to fraudsters.”

Share icon
Share this article: