Some banks urgently need to address potential loopholes in their online security arrangements that could leave people vulnerable to scammers, according to Which?.
The consumer group evaluated the apps and websites of 13 current account providers in January and February 2024, with the help of computer security experts.
Researchers for the consumer group tested the security of banking websites and apps for login procedures, security “best practice”, account management and navigation and logout. They were unable to test the banks’ back-end security systems.
While all firms in the study use multi-layered security that helps reduce the likelihood of major security breaches, Which? he said he believes some providers who finished towards the bottom of their rankings fell short of the standards customers should expect.
TSB scored 54% at Which? for its mobile app security and 67% for its online security – the lowest and second lowest scores respectively.
Which one of them? said the bank’s handling of sensitive data meant it could be read by other applications running on the phone. The consumer group raised concerns that the app stores user credentials in a way that makes it more likely that other apps could access them.
TSB told Which? that the issue was under review and that “a solution will be considered in the future”.
The bank also sent a phone number in a text alert which showed Which? said it could be replicated by scammers.
TSB told Which?: “We have removed phone numbers from the vast majority of SMS alerts and this alert is the last in the plan to update the phone number.”
The consumer group also raised concerns about TSB’s password requirements, saying users could choose weak passwords that could be easier for scammers to crack.
TSB said: “We continue to strengthen the security of our internet and mobile banking and provide customers with a positive and convenient user experience. That’s reflected in our high ratings in app stores.”
Which one of them? ranked by the Bank Cooperative in its study of online security, with a score of 61%.
In terms of security on its mobile app, the Cooperative Bank came in second place, with a score of 57%.
Which one of them? said the bank failed to require two-factor authentication logins on a test laptop and did not prevent customers from setting weak passwords.
Researchers could log in from two different IP addresses at the same time without terminating the older session and, like TSB, alerts and security codes sent via text still contained phone numbers.
The Co-operative Bank said: “The security of our customers’ accounts is always our top priority. Customers can be sure that we have strong security measures in place to protect them and their money.
“We are constantly reviewing and improving our security controls and will be bringing a number of further improvements in 2024 to give our customers peace of mind that they can continue to bank safely and securely with us.”
Which one of them? He said he wants TSB and the Co-operative Bank to urgently address the issues found by his researchers.
Meanwhile, Lloyds did not log website users out after five minutes of inactivity. The bank said Which? that this makes transactions easier for vulnerable customers.
A Lloyds Banking Group spokesperson said: “Helping to keep our customers’ money and data safe is our priority and we have strong multi-layered security across our online and mobile banking services to protect against potential cyber security threats.
“We employ world-class experts in the field of cyber security and continuously invest to achieve the right balance between online security measures, customer experience and accessibility.
“Written into the Payment Systems Regulator’s regulation of secure customer authentication, Lloyds Banking Group has informed the regulators that we will not apply this to payments and logins given the considerations for vulnerable customers and businesses who may need to have them longer than that period for the transaction.
“Logos from new devices are verified through secondary verification to customers’ registered phone to establish trust for any devices used. Because of this, customers have no untrusted devices.”
Starling Bank and NatWest/RBS were ranked top by Which? for online security, and both scored 87%.
HSBC was the highest ranked bank for mobile app security, with a score of 78%.
HSBC posted solid scores for its app and website, with researchers finding no problems logging out or navigating, Which? said.
Barclays was second in the mobile app rankings, with a score of 74%, but Which? was found to have failed to fix website management issues it identified last year, such as allowing users to access accounts from multiple browsers, IP addresses or devices at the same time.
The bank said Which? it uses other controls to assess the risk profile of devices accessing online banking and plans to add this additional layer of protection later this year.
Sam Richardson, deputy editor of Which? Money said: “With more and more people banking online or on their phones, it’s vital that the banks we trust with our money have up-to-date security safeguards.
“While our investigation did not uncover any major security issues, there were a number of areas of concern that we believe the banks in question need to address urgently, so that sophisticated fraudsters cannot use loopholes to target innocent victims.
“With fraudsters still relentless in their pursuit of our money and a general election looming, the next government must make fighting fraud a national priority, with a fraud minister installed to work across various government departments.”
A spokesman for industry body UK Finance said: “Fraud has a devastating impact on victims, so the main focus of the banking and finance industry remains on preventing fraud in the first place. To do so, the industry invests heavily in cybersecurity and data sharing, seeking to detect and prevent malicious actors from infiltrating systems, stealing data, and committing fraud.
“As the fraud landscape evolves, banks update and reinforce security measures on their platforms to mitigate potential threats, while maintaining a positive user experience for customers.
“We encourage customers to be aware of potential fraud threats and always use secure passwords, avoid one-time passcodes and share personal and financial information. If you think you have fallen for a scam it is important to contact your bank immediately, and report it to Action Fraud.”