Bank security flaws 'put consumers at risk from fraud'
By David Wood | 7th February 2023
Basic security flaws on some of the biggest banks' websites and apps are putting consumers at increased risk of falling victim to fraud, as found by research undertaken by Cheltenham based cybersecurity consultancy, Red Maple Technologies, on behalf of Which?
The consumer champion's tests found several banks were missing basic online and app protections.
The research comes after 29,102 cases of remote banking fraud were reported to industry body UK Finance in the first half of 2022. This involves unscrupulous scammers gaining access to consumers' bank accounts via their internet, telephone or mobile banking and making an unauthorised transfer of money from the account.
Which? tested the customer-facing security systems of 13 current account providers from September to November 2022, with help from independent security experts at Red Maple Technologies.
The banks were scored across four key categories - login, navigation and logout, account management and encryption - for both their online banking security and app security.
Among other issues, banks were marked down for not adequately blocking weak passwords, sending one-time passcodes or other sensitive information via text messages, which is the least secure approach, and failing to log customers out after five minutes of inactivity.
They also lost points for allowing access to accounts from multiple web browsers or IP addresses at the same time, without flagging this as a potential cyber attack, and for sending customers notifications that include a phone number or web link. The latter can be a gift to scammers who often replicate texts and emails to trick people into calling them or entering their details on a fake website.
Virgin Money got the lowest total scores for online (52%) and app (54%) banking. Virgin Money's poorest scores for online banking were in the navigation and logout and account management categories - it got two stars out of five for both. It also scored just two stars for the encryption on its app.
Red Maple Technologies found six outdated Virgin Money web applications which had potential vulnerabilities. The bank noted minor vulnerabilities on three and said these will be corrected. Virgin Money did not adequately block insecure passwords and remove phone numbers from notifications.
Worryingly, there were no security checks to pay someone new, change an email address or edit the details of a payee. Which? also found issues with website session management, though the bank said it plans to improve this in early 2023, following Which?'s tests.
Which? had several concerns when it came to TSB, which scored 57% for its app, the second lowest, but got a slightly higher score of 66% for its online offering. It still asks basic security questions such as 'name your favourite food' to recover login details.
It also failed to block insecure passwords and only requires six characters - banks should encourage much longer passwords. Red Maple Technologies found a potentially vulnerable subdomain, which TSB said will be removed in 2023, and two outdated web applications.
Starling came out top for online banking security (82%), although its high-scoring app (80%) is also key to security - it is used to authorise online logins and instant alerts of any sensitive activity. Starling scored five stars in almost every category.
Which?'s top scorer for online banking security last year, HSBC, performed well once again this year - it followed closely behind Starling with a score of 80% for online banking while its app had the highest score of 82%.
The banks included in the research also have behind-the-scenes systems that Which? and Red Maple Technologies were not able to test.
Rob Stemp, CEO of Red Maple Technologies, said: "It is vital for consumer protection that banking apps and websites use the strongest possible security mechanisms to safeguard customers. Mobile apps offer convenience with the ability to quickly block and check transactions, but it cannot be at the expense of security.
"As part of our research we also checked the bank's email authentication settings - SPF, DKIM and DMARC - which stop banks from being impersonated, effectively eliminating the risk posed by spammers, phishing and other spoof email issues. These critical settings mean that customers always know that any communications from their bank are legitimate."
Which? believes the banking industry must improve its cyber defences against scammers, who are becoming increasingly sophisticated in their methods.
The consumer champion wants improvements that would see weak passwords blocked and also believes that sensitive data should not be sent via SMS text messages as these can be intercepted.
If the worst happens and consumers do fall victim to remote banking fraud, in many cases they will be entitled to a refund from their bank.
Rob Stemp added: "What was interesting was seeing how the newer, app-based banks have more comprehensive measures in place compared to some of the more traditional banks. Having worked within some of these large enterprises we understand that they often suffer with issues of complexity within their IT estate and legacy systems at the core of their infrastructure.
"As a result of the research, many of these banks have now made changes to their systems and standard practice, which is extremely positive, however with the cost of cybercrime set to hit $10.5 trillion by 2025, 8% of the world's GDP, these are issues that all organisations need to get a grip on, especially those in the banking sector."
Sam Richardson, Which? Money deputy editor, said: "Banks should not be leaving these open doors for scammers to exploit and must up their game to protect their customers properly.
"By making improvements, such as blocking weak passwords, banks can take an important step in preventing unscrupulous fraudsters from attempting to steal money and personal data from consumers."
Copyright 2023 Moose Partnership Ltd. All rights reserved. Reproduction of any content is strictly forbidden without prior permission.