Safety gaps in online banking security systems exposed

Kalila Sangster
·7 min read
Mobile Pnone Shopping Online With A Debit Card
Banks have 'concerning vulnerabilities' in security that could leave their customers exposed to fraud, according to an investigation by Which? Photo: Getty

Safety gaps in the online banking security systems of some of the UK’s biggest banks have been exposed by a new investigation by consumer group Which?

Banks have “concerning vulnerabilities” in security that could leave their customers exposed to fraud, according to the investigation by Which? and independent security experts 6point6.

The investigation looked at four main criteria: encryption, login, account management and navigation.

Tesco Bank (TSCO.L) received the lowest rating for online security in Which?’s testing, with an overall score of 46%.

Multiple security headers were missing from its webpages, the investigation found. Security headers protect customers against a range of cyberattacks, by telling users’ browsers how to behave when they communicate with the website.

Tesco Bank also failed to block testers from logging in to its website from two computer networks at the same time and also did not log out when switching to a different website or using the forward or back button to leave the session and return to it.

WATCH: Will Interest rates stay low forever?

READ MORE: Brits to spend 19 million hours on tax returns

Tesco Bank told Yahoo Finance UK: “The security of our customers' accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money. Not all of these controls are obvious or visible to customers, but each of them serves to protect customers and all are in line with industry standards.

“We use the latest technology to protect and manage the security of Online Banking and our Mobile Banking App and all our controls are constantly reviewed to ensure they remain fit for purpose, giving customers peace of mind they can bank safely and securely with us."

TSB finished second from bottom in the ranking with a score of 51%. The bank’s login process did not meet new regulations on “strong customer authentication” (SCA), introduced in March, the research found.

Which?
Which?'s ranking for online banking security. Photo: Which?

When Which? reported TSB's non-compliance to the Financial Conduct Authority (FCA), it said that it “doesn't comment on specific firms and would not confirm how many firms have been granted an effective SCA extension in relation to online banking,” according to Which?

To gain access, the TSB website only asked for fixed account details such as a name and password, which gives limited protection against cyberattacks. Under the SCA regulation, banks must add an extra layer of identification checks to ensure it is the customer logging into the online account.

TSB told Which? in November 2020 that it is “compliant with the regulation for all new customers and that SCA is being rolled out for existing online and mobile customers, but could not say when this will be completed.”

The forced upgrade has since been added for all mobile app users but is still in the process of being launched for online banking users.

TSB does offer a fraud refund guarantee, which means most customers who are victims of scams do get their money back.

TSB told Yahoo Finance: “Providing customers with safe and secure banking is a priority and we continue to invest in strengthening online and mobile protection for customers. We are the only bank that offers a guarantee to refund all innocent victims of fraud — including those who lose money to online scams.”

Santander (SAN) came third from bottom in the ranking with a score of 62%. The researchers were able to bypass authentication checks when logging in to the bank’s website by designating a device as “trusted.” While Santander said it does require reauthorisation if it detects unusual activity, there is no option to view or “distrust” these devices, according to Which?

A Santander spokesperson told Yahoo Finance UK: “Santander takes online security very seriously and we invest a great deal in cyber security and fraud prevention and ensuring we protect our customers’ money and data safely and effectively.

“The Which? review only focuses on the customer-facing elements of security and it is important to understand that there are many other ‘back end’ measures that we employ to ensure we keep our customers safe whilst offering optimum customer experience.”

Starling Bank came top of the table for online security measures, scoring 85%. Its recently launched online banking website showed “nothing concerning.” This is partly due to “limited functionality,” as users can only change sensitive data through its app.

READ MORE: European biometric firm expanding in London since Brexit deal signed

“Unlike most banks, there were no issues with missing security headers and it scored top marks for encryption,” according to Which?

Barclays (BARC.L), HSBC (HSBA.L) and First Direct tied at number two, all scoring 78%.

However, although each had strong login measures all showed some things that could be improved.

The researchers only needed basic details to recover a Barclays membership number, and could sign in using two different computer networks at the same time without being logged out from one.

First Direct’s pre-set security questions for forgotten passwords were too basic, according to Which? There was also a failure to alert on password changes or new payees and special characters can not be used in passwords.

The experts also tested each provider’s banking app for potential flaws by checking to see if banks detected testers downloading its app in an emulated device or running it on a rooted device.

Emulated devices are used by developers for testing — and can be used by cybercriminals to find weaknesses. A rooted device is where the device is “jailbroken” to get around operating systems’ restrictions, making it easier for hackers to steal information from banking apps.

READ MORE: Biggest Christmas on record for UK supermarkets as online sales double in December

Monzo, Nationwide and TSB failed to perform both emulator and root detection.

Monzo told Which? that this does not expose its app to security weaknesses and that root and emulator detection can be unreliable.

A Nationwide spokesperson told Yahoo Finance UK: “Nationwide takes the security of its products and services extremely seriously, and we always aim to ensure we offer the best member experience while maintaining highly effective security. The Society does detect jailbroken and rooted devices and where necessary will block access to maintain the security of our members money. While we do not run specific emulator detection, we use a wide range of systems and controls to identify anomalous activity that allows us to achieve protection for our members.”

Investigators also tested for “code obfuscation,” which hides information that could be used by hackers to discover weaknesses or steal information.

Virgin Money was the only bank tested where many “function calls” were clearly visible. These are part of the code that makes an app work and should be hidden to make it harder for attackers to hack into a system.

Virgin Money told Yahoo Finance UK: “The safety and security of our banking services and systems is our top priority. We carry out regular penetration testing and security audits of Virgin Money’s systems and applications, and we have a well-established programme in place to prioritise the remediation of any vulnerabilities which are identified. We are also continuously investing in improvements to our cyber security.”

Although many of the banks investigated by Which? are signed up to the industry code on bank transfer scams, which pledges to reimburse scam victims who are not at fault, only around 40% of victims get their money returned, according to Which?

This is because firms “apply the code inconsistently and are not required to publish their reimbursement rates,” Which? said.

Which? is calling for reimbursement for scam victims to become mandatory for all banks and payment providers and for the regulator to be required to regularly publish reimbursement rates of individual banks so consumers can check on their account provider’s performance.

READ MORE: Scammers targeting vulnerable Brits with fake NHS vaccine text

Harry Rose, editor of Which? magazine, said: “Banks must lead the battle against fraud, yet our security tests have revealed a big gap between the best and worst providers when it comes to keeping people safe from the threat of having their account compromised.

“The serious failings we have exposed with some providers reinforce the need for banks to up their game on scam protections, and for greater transparency and stronger standards on fraud reimbursement to be made mandatory for all banks and payment providers.”

WATCH: Should I book a holiday in 2021?