.svg)
Consumer group Which? has released results of its latest banking security test, revealing that there is still a large gap between the best and the worst banks in terms of online and mobile banking security.
Earlier this week (January 11), Which? published the results of its test that analysed the security of online and mobile banking systems of 15 of the biggest UK banks and building societies that offer current accounts.
The test was carried out last September and October and measured the banks against four security features that are available to customers - encryption, login, account management, and navigation and logout.
The analysis follows a 97 percent increase in internet banking fraud in the UK in the first half of 2021, leading to a record £108.9m lost in 42,000 cases.
Showing little movement from previous year’s results, the association found that “a gulf” still exists between the best and worst banking apps.
“With so much of our banking now done on our computers and smartphones, it's important that those services are secure,” Which? said, adding that, “too many banks are neglecting basic housekeeping, potentially leaving their customers at risk of fraud.”
Nonetheless, Which? noted that “all of the apps and websites we tested are safe enough to use – and banks regularly test their systems for vulnerabilities.” It stressed the annual banking security investigation is intended to “hold the banking industry to the highest standards.”
Online banking security
HSBC scored the highest place on the list with an 81 percent overall test score.
The UK bank was the only one among those tested to score five stars in the analysis for both website encryption and account management.
The association highlighted HSBC’s cipher strength, which was rated A+, because it supports the latest encryption standards.
HSBC was closely followed by NatWest (75 percent), Barclays (73 percent), Santander (72 percent) and Starling (72 percent).
The worst performing banks were Metro Bank with a 53 percent score, Virgin Money (56 percent) and TSB (59 percent).
Mobile banking security
HSBC’s online bank subsidiary First Direct was ranked top for mobile banking security (77 percent), earning five stars for encryption and account management.
App-based challenger bank Monzo was however the lowest-scoring app tested with 46 percent.
It was the only provider that does not ask customers to log in every time, which is a “conscious design decision” the bank took “to strike a balance between risk and customer experience,” Monzo told the association.
Which? also ranked down Lloyds, Nationwide, Santander, and TSB because online and mobile banking require the same login credentials.
Strong customer authentication
The test confirmed that now all tested banks have extra checks in place to verify the identity of their customers.
Strong customer authentication (SCA) requires banks to identify each customer with at least two independent factors that could be either something only the customer knows (a password or PIN), something only the customer possess (a card reader or registered mobile device), or something only the customer is (a digital fingerprint or voice pattern).
Although many banks chose to rely on the passwords/PINs and SMS security codes sent to mobile phones to carry out the SCA, Which? has called on banks to stop using SMS codes.
It argues that messages can be hijacked by cybercriminals through SIM-swap attacks.
As a result, the association gave Lloyds, Metro, Nationwide, Santander, The Co-operative Bank and TSB lower points in its test, although it noted that Santander and The Co-operative Bank are looking to move away from SMS.
Which? specifically called out ethical challenger bank Tridos who, they were “shocked” to find, “lets customers set insecure security words, including ‘password’, ‘1234567’ and ‘admin’.” Although the security risk is mitigated by using a physical ‘Digipass’ device at the two-factor authentication at login, Which? claimed “there is no excuse for a bank to allow such weak credentials.”
The test also downgraded HSBC, NatWest, Santander, Starling, The Co-operative Bank, and Virgin Money because they allow customers to set passwords that include either their first or last name. Santander told Which? the bank is in the process of phasing this out while NatWest and Virgin Money said they might increase password limitations.
