UK Banks Still Failing on Digital Security - Report

UK banking customers are being needlessly exposed to fraud and account compromise because of insufficient online security, according to a new Which? study.

The consumer rights group commissioned Red Maple Technologies to assess 13 current account providers’ online banking websites and apps from September to November 2022. Its study covered four key areas: login, navigation and logout, account management and encryption.

Among the issues discovered by the tests were:

  • No adequate blocking for weak passwords
  • Sending one-time passcodes and other sensitive information via text messages
  • Failing to log customers out after five minutes of inactivity
  • Allowing access to accounts from multiple web browsers/IP addresses at the same time
  • Sending customer notifications containing a web link or phone number, which look like phishing messages

Virgin Money came bottom of the list with a total score of 52% online and 54% for its app. The test found six outdated web apps run by the bank that had potential vulnerabilities. The lender acknowledged vulnerabilities on three and said these will be corrected, according to Red Maple Technologies.

Starling came out top, with an 82% score for online banking and 80% for its app. HSBC came a close second overall, its online banking site garnering 80% while its app came top with 82%.

“It is vital for consumer protection that banking apps and websites use the strongest possible security mechanisms to safeguard customers. Mobile apps offer convenience with the ability to quickly block and check transactions, but it cannot be at the expense of security,” argued Red Maple Technologies CEO, Rob Stemp.

“What was interesting was seeing how the newer, app-based banks have more comprehensive measures in place compared to some of the more traditional banks. Having worked within some of these large enterprises we understand that they often suffer with issues of complexity within their IT estate and legacy systems at the core of their infrastructure.”

Remote banking fraud losses in the first half of 2022 stood at nearly £85m, a 36% year-on-year drop, according to industry body UK Finance.

What’s Hot on Infosecurity Magazine?