Worrying flaws in online banking security systems could leave customers exposed to fraud. Some banks are failing to use the latest protections for their websites and allowing users to set insecure passwords, according to the consumer campaign group Which?.
Which? with the cyber security firm 6point6 tested online and mobile app security of the 15 largest current account providers on a range of criteria including encryption and protection, login, and account management and navigation. Which? says it found security flaws at several banks during the login process. HSBC (pictured; their branch in Selby, Yorkshire) came out on top, with a score of 81 per cent. It was the only bank to score five stars for both website encryption and account management. It was rated A+ for cipher strength because it supports the latest encryption standards.
Jenny Ross, Which? Money Editor, said: “Banks must lead the battle against fraud, yet our security tests have revealed worrying flaws when it comes to keeping people safe from the threat of having their account compromised. Our research reinforces the need for banks to up their game on tackling fraud by using the latest protections for their websites and not allowing customers to set insecure passwords. We also want banks to stop sending sensitive data to customers via SMS texts as this could leave the door open to fraudsters.”
Comments
Sion Lewis, Vice President & Managing Director EMEA, at the cyber product firm LogMeIn said: “We know that 80pc of data breaches are a result of weak passwords, yet our recent research found that 92pc of Brits still reuse the same, weak passwords. Banks aren’t intending to put their customers at risk, but we all need to be educated and encouraged at every opportunity to use the most secure practises available.
“By providing consistent and up-to-date information on security risks, and imposing mandatory passwords that are strong and unique for accounts – we can all win the war against cyber-criminals. A strong password is at least 16 characters long and includes a mix of capital and lowercase letters as well as numbers and symbols and certainly not be linked to any personal information. A password manager can also be an invaluable tool to store all personal and digital data in a private, secure vault so you don’t forget credentials.
“There’s no doubt that financial providers are investing in security measures – but more can be done. Online security is never a one stop shop and beating hackers is like a constant cat and mouse game. To ensure we are ahead, we all need to work together.”
And Brett Beranek, Vice-President & General Manager, Security & Biometrics Line of Business at the vendor Nuance, said: “This latest warning from Which? about password security should come as no surprise. PINs and passwords are an archaic tool, no longer fit for purpose. Passwords are being sold on the dark web, exploited for fraudulent activity and have even cost unfortunate individuals vast sums of money in terms of forgotten passwords to safeguard cryptocurrencies.
“Indeed, new research from Nuance has found that one in ten UK consumers admit to choosing the same password for nearly every account, irrespective of its ‘strength’ or likely uniqueness. Given the same poll has found almost a fifth have fallen victim to fraud in the last 12 months, it is high time PINs and passwords are confined to the history books, so that technology – such as biometrics – can be more widely deployed in order to robustly safeguard customers.
“With fraud on the rise, it has never been more important for banking leaders to ensure that their customers are provided with a more sophisticated and secure experience. Biometrics authenticates individuals immediately based on their unique characteristics – taking away the need to remember PINs, passwords and other knowledge-based credentials prone to being exploited by fraudsters and providing peace of mind, as well as security, for end-users.”
