Lloyds, Metro and TSB among major banks leaving customers open to fraud- are you affected?
Moneybox: Man outlines his experience with impersonation fraud
We use your sign-up to provide content in ways you’ve consented to and to improve our understanding of you. This may include adverts from us and 3rd parties based on our understanding. You can unsubscribe at any time. More info
Online banking fraud rose 97 percent in the first half of 2021 however concerns have grown banks have not moved fast enough to keep pace. Research by consumer group Which? has exposed a number of key issues with major banks, as well as ranking them by security. According to Which? Metro Bank receives the lowest overall score for online security, joined in the bottom three by Virgin Money and TSB. Which? identified potential weaknesses in subdomains of Metro Bank’s website which the group says could allow hackers to compromise the server. Similar issues were also found with First Direct and Lloyds. First Direct told Which? they were addressing the issue while Lloyds said the subdomain was being decommissioned and therefore did not pose a security risk.
A Lloyds spokesperson added: “We employ world-class experts in the cyber-security field, who work to deliver the right balance of online security measures, customer experience and accessibility.”
Metro Bank’s website was also found to be missing two security headers which are important for providing protection against cyberattacks.
A spokesperson for Metro Bank said the bank takes “our customers’ security extremely seriously and have a range of safeguards in place across all channels.”
They added: “We are continually evaluating and evolving our controls to prevent fraud.”
Other specific faults found among the banks often related to the login process with banks required to carry out extra checks to verify customers due to the risks of stolen passwords.
Six banks- HSBC, NatWest, Santander, Starling, The Co-operative Bank and Virgin Money- however all let customers choose passwords containing their first or surname.
Santander told Which? this is now being phased out while NatWest and Virgin Money said they might increase password limitations.
NatWest also said it would continue to invest in measures such as multi-factor authentication and its work on biometrics.
Starling explained it had built “security technology into our app and systems, to give customers an easy to use, secure, seamless experience.”
A spokesperson for Virgin Money said: ““The safety and security of our banking services is our top priority and we are continually monitoring, assessing and improving our security controls.”
TSB, Lloyds, Metro, Nationwide, Santander and The Co-operative Bank also all used SMS texts to verify when customers logged in.
Which? point out this could leave messages at risk of being hijacked by cybercriminals.
Santander told the group they were now looking to move away from SMS, adding: “Security is a top priority for all at Santander and we continue to invest a great deal in keeping our customers safe.”
The Co-operative Bank meanwhile said: “We continually review the controls we have in place to maintain secure banking.”
A spokesperson for TSB said: “TSB tracks well across the industry on fraud with lower than average fraud losses.
“In contrast to the wider industry, we are the only bank that offers a guarantee to refund our customers should they ever fall victim to bank fraud.”
Which? Money Editor Jenny Ross said: “Our research reinforces the need for banks to up their game on tackling fraud by using the latest protections for their websites and not allowing customers to set insecure passwords.
“We also want banks to stop sending sensitive data to customers via SMS texts as this could leave the door open to fraudsters.”
In the overall security rankings HSBC came out on top as the only bank to score five stars for both its website encryption and account management.
Marks & Spencer UK’s fastest-growing food retailer [ANALYSIS]
Brexit Britain win: City records best year for floats in over a decade [SPOTLIGHT]
Boris’s levelling up agenda under threat [REVEAL]
The bank says it uses “advanced cybersecurity controls and identify and respond to threats in a timely manner.”
Other criteria tested were login and navigation and logout.
Monzo was found to have the lowest scoring app due to it not requiring users to log in every time.
The bank however said: “We strongly disagree with this assessment.”
“Given every sensitive action or payment requires a customer to provide extra authentication in the form of a PIN or biometrics, the risk associated with remaining logged into the Monzo app is extremely low.”
Lloyds, Nationwide, Santander and TSB also dropped points due to their apps requiring the same login details as online with Which? suggesting app-specific passwords are more secure.
A Nationwide spokesperson said: “Security is of paramount importance to Nationwide, and we must balance this with ensuring we are delivering the best user experience when members use our digital services.”
Source: Read Full Article