Consumer watchdog Which? has warned of a “big gap” between the best and worst online banking providers when it comes to security.
Which?, along with security experts 6point6, analysed the online banking safety measures of 16 banks and building societies and awarded them an overall test score based on encryption, login, account management and navigation.
The researchers discovered some “concerning vulnerabilities” which could put customers at risk and could benefit scammers.
Which? said it was concerned by the issues exposed in its investigation, adding that it highlights how banks could do more to prioritise security.
At the bottom of the table was Tesco Bank, which was awarded a score of just 46%. This was due to the absence of multiple security headers, which protect against some type of cyberattacks.
The researchers also discovered that an internal staff website was accessible from anywhere and not just by employees. This has since been limited to employees.
Testers were also allowed to log in to online banking accounts from two computer networks at the same time.
A Tesco Bank spokesperson said: “The security of our customers’ accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money. Not all of these controls are obvious or visible to customers, but each of them serves to protect customers and all are in line with industry standards.
“We use the latest technology to protect and manage the security of Online Banking and our Mobile Banking App and all our controls are constantly reviewed to ensure they remain fit for purpose, giving customers peace of mind they can bank safely and securely with us.”
Researchers also raised concerns with TSB, which received the second-lowest score when it comes to security. PSD2 regulation requires banks to implement Strong Customer Authentication (SCA), with customers needing to provide two forms of authentication before making online payments.
However, Which? and 6point6 discovered that TSB has not implemented SCA, with researchers only required to enter fixed account details such as a name and password when logging. According to TSB, SCA is still being rolled out to existing customers and is compliant when it comes to new customers and mobile app customers.
A TSB spokesperson said: “TSB customers who use their mobile app already have SCA and we’re continuing to roll it out for those who use internet banking.”
Researchers also found that when it comes to Santander, which scored 62%, it was possible to bypass authentication checks when logging in if a user labels a device as ‘trusted’.
A Santander spokesperson said: “Santander takes online security very seriously and we invest a great deal in cybersecurity and fraud prevention and ensuring we protect our customers’ money and data safely and effectively. The Which? review only focuses on the customer-facing elements of security and it is important to understand that there are many other ‘back end’ measures that we employ to ensure we keep our customers safe whilst offering optimum customer experience.”
Online banking security: The safest banks
At the other end of the scale, Which? noted that some banks demonstrated strong security measures. Challenger bank Starling scored 85%, with experts finding “nothing concerning” with its online banking website, scoring top marks for encryption.
However, researchers noted that the website currently has limited functionality compared to some others.
Barclays, HSBC and First Direct scored 78%, with researchers noting strong login measures. However, they were successfully able to log in to Barclays online banking from two different computer networks.
Harry Rose, editor of Which? Magazine, said:
“Banks must lead the battle against fraud, yet our security tests have revealed a big gap between the best and worst providers when it comes to keeping people safe from the threat of having their account compromised.
“The serious failings we have exposed with some providers reinforce the need for banks to up their game on scam protections, and for greater transparency and stronger standards on fraud reimbursement to be made mandatory for all banks and payment providers.”
Which? is now calling for the voluntary bank transfer scams code to be overhauled so that stronger consumer protections and reimbursement for scam victims become mandatory for all banks and payment providers.