Basic security flaws on some of the biggest banks’ websites and apps are putting consumers at increased risk of falling victim to fraud, according to a Which? look into online banking and app security.
The consumer product and services testing body found several banks were missing basic online and app protections. customer-facing security systems of 13 account providers from September to November 2022, with help from independent security experts at Red Maple Technologies. The banks were scored across four key categories – login, navigation and logout, account management and encryption – for both their online banking security and app security.
Among other issues, banks were marked down for not adequately blocking weak passwords, sending one-time passcodes or other sensitive information via text messages, which is the least secure approach, and failing to log customers out after five minutes of inactivity. Red Maple found six outdated Virgin Money web applications which had potential vulnerabilities. The bank noted minor vulnerabilities on three and said these will be corrected.
Starling, a bank without physical branches (more on its security around IDs in the March print edition of Professional Security Magazine), came out top for online banking security (82 per cent), although its high-scoring app (80pc) is also key to security – it is used to authorise online logins and instant alerts of any sensitive activity. Starling scored five stars in almost every category.
Which?’s top scorer for online banking security last year, HSBC, performed well once again this year – it followed closely behind Starling with a score of 80pc for online banking while its app had the highest score of 82pc. Which? rated banks across four categories: login (30pc), encryption (30pc), account management (25pc), navigation and logout (15pc).
Sam Richardson, Which? Money Deputy Editor, said: “Banks should not be leaving these open doors for scammers to exploit and must up their game to protect their customers properly.
“By making improvements, such as blocking weak passwords, banks can take an important step in preventing unscrupulous fraudsters from attempting to steal money and personal data from consumers.”
Comment
Frederik Mennes, Director Product Management & Business Strategy, at the identity verification product company OneSpan, says that banks can do many things that banks to ensure the protection of their customers and themselves.
“In this digital-first world, banks and financial institutions must balance top-level security with seamless user experience. Rigorous security and accurate identity verification must of course be of the highest level, but it cannot feel like a burden on the user. We can all relate to the fatigue of having to enter multiple one-time-pass codes into our various devices.
“The key here is continuous authentication. Continuous authentication is not an authentication factor, like a new one-time token or authentication application. It provides multi-layered security measures that can adapt to the unique characteristics and risk level of each transaction. This means that the authentication process becomes more secure and dynamic, as it can detect and respond to changing patterns of behaviour and suspicious activity in real-time. This results in a more effective defence against fraud, hacking and other forms of cyber-crime, while also providing a seamless and convenient user experience.
“By utilising continuous authentication, financial services can better protect their customers’ sensitive information and assets, and ensure the security of their financial transactions. It distinguishes itself from standalone authentication tools by employing specialised authentication methods based on real-time risk analysis. By leveraging risk analytics driven by machine learning and artificial intelligence – financial institutions can simplify the end user experience, reduce fraud, and achieve regulatory compliance.”
