Multiple security flaws found in UK retail banks’ digital services

Cyber security flaws still too prevalent in retail bank offers, says consumer rights group.

UK retail banks have been urged to “up their game” by consumer rights organisation Which? after a survey uncovered multiple security flaws that put customers at risk.

Failure to block weak passwords, sending sensitive data including one-time passcodes via SMS, and not timing out inactive customer sessions were among the issues found in the organization’s latest annual survey of the sector.

Which? works with security experts at Red Maple Technologies to test the defenses of online and mobile banking services. It tests across four categories;

  • Encryption – including transport layer security (TLS), scripts that load from external sources, domains and subdomains that are publicly exposed when they shouldn’t be, and whether mobile apps run on rooted devices;
  • Login – what information banks request, password security, use if easily-compromised passcodes, and whether or not customers are required to use an individual card reader to access accounts;
  • Account management – how customers are allowed to make and verify changes;
  • Navigation and logout – covering session timeout policies and simultaneous access on multiple browsers.

Tests were run on 11 providers’ websites with Virgin Money, Nationwide, TSB and The Co-Operative Bank scoring lowest for website security. Starling, HSBC, NatWest and Lloyds were found to offer the most secure services. First Direct, Barclays and Santander were the other providers whose websites were tested, and all received mid-range assessments.

Two other providers, Monzo and US newcomer Chase, were added to the list for mobile banking app security. Virgin Money was again rated bottom of the list, behind TSB and Lloyds. The most secure mobile app services were offered by HSBC, Barclays and Starling.

Weak passwords

“Banks should not be leaving these open doors for scammers to exploit and must up their game to protect their customers properly,” said Sam Richardson, deputy editor at Which? Money. “By making improvements, such as blocking weak passwords, banks can take an important step in preventing unscrupulous fraudsters from attempting to steal money and personal data from consumers.”

Virgin Money was judged to have multiple failures, scoring 52% on its website and 54% on its mobile app. Testers found six outdated Virgin Money apps with potential vulnerabilities. The report voices concern over its failure to:

  • block weak passwords;
  • redact phone numbers on notifications;
  • impose security checks if account holders want to set up new payments or edit payee details.

Last year’s Which? Study also gave Virgin Money one of the worst ratings. But the provider responded that safety and security were “our top priority” and insisted that: “A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts”.

Fraud prevention

Nationwide said it would “take the points raised by Which? on board”, while TSB insisted it “tracks well across the industry on fraud prevention” and pointed out that “we are the only bank that protects its customers with a guarantee to return their money should they ever fall victim to fraud”.

Starling, which scored well across all categories of testing, received praise for using its app to authorise online logins and to alert customers to suspicious activity. HSBC also performed well.

Which? wants retail banks to do more to combat scammers who are using increasingly sophisticated methods. Blocking weak passwords and a more mature approach to data sharing are suggested first steps.