TSB, the Co-operative Bank and Lloyds have been told they need to “urgently address potential loopholes” in their online security arrangements which could leave people vulnerable to scammers, according to new research.
It comes as Which? assessed the apps and websites of 13 current account providers in January and February 2024, with help from computer security experts.
Researchers for the consumer group tested banking website and app security for login procedures, security “best practice”, account management and navigation and logout.
However, they were not able to test banks’ back-end security systems.
Have you received poor customer service from your telecoms provider?
— Which? (@WhichUK) April 23, 2024
Tell us all about it using our tool - it only takes a few minutes 👇https://t.co/C2lBqX4ktv pic.twitter.com/yoCNzzcJUh
While all firms in the study use multi-layered security that helps reduce the likelihood of major security breaches, Which? said it believes that some providers that finished towards the bottom of its rankings fell short of the standards customers should expect.
UK banks ranked 'unsafe' for online and mobile security
TSB
TSB was scored 54% for its mobile app security and 67% for its online security – the lowest and second-lowest scores respectively.
Which? said the bank’s handling of sensitive data meant that it could be read by other apps running on the phone. The consumer group raised concerns that the app stores users’ credentials in a way which may make it more likely that other apps could access them.
TSB told the consumer group that the matter was under review and a fix will be “considered in the future”.
Eligible parents will also be able to access 15 hours free childcare a week for children 9 months to 3 years old. pic.twitter.com/l4cF2VRBaT
— TSB (@TSB) April 12, 2024
The bank also sent a phone number in a text alert that Which? said could be replicated by scammers.
TSB told Which?: “We have removed phone numbers from the vast majority of SMS alerts with this alert being the final in plan for updating to remove the phone number.”
Concerns were also raised about TSB’s password requirements, saying users may choose insecure passwords which could be easier for scammers to crack.
TSB said: “We continue to strengthen the security of our internet and mobile banking while delivering a positive and convenient user experience for customers. That’s reflected in our high app store ratings.”
Co-operative Bank
Additionally, Which? ranked the Co-operative Bank bottom in its study for online security, with a score of 61%.
🍃✊ Together with @ZeroHour_UK, we're calling for urgent action to protect nature.
— The Co-operative Bank UK (@CooperativeBank) April 22, 2024
Join us this Earth Day in sharing this video and supporting Zero Hour's call for new legislation on climate and nature here 👉 https://t.co/td3rktEV51#EarthDay2024 | #CANBill pic.twitter.com/EQnwRQXEVk
Regarding security on its mobile app, the Co-operative Bank came second to last, with a score of 57%.
Which? said the bank failed to require a two factor authentication login on a test laptop and did not block customers from setting weak passwords.
Researchers could log in from two different IP addresses at the same time without the older session being terminated and, like TSB, there were still phone numbers in alerts and security codes sent via text.
The Co-operative Bank commented: “The security of our customers’ accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money.
“We are constantly reviewing and enhancing our security controls and we will be delivering a number of further improvements in 2024 to give our customers peace of mind that they can continue to bank safely and securely with us.”
Which? said it is calling for TSB and the Co-operative Bank to urgently address the issues that its researchers found.
Lloyds Bank
Meanwhile, Lloyds did not log out website users after five minutes of inactivity. The bank told Which? that this makes transactions easier for vulnerable customers.
A Lloyds Banking Group spokesperson added: “Helping to keep our customers’ money and data safe is our priority and we have robust, multi-layer security across our online and mobile banking services to protect against potential cyber security threats.
“We employ world-class experts in the cyber-security field and continually invest to deliver the right balance of online security measures, customer experience and accessibility.
“Whilst written in the Payment Systems Regulator’s regulation for secure customer authentication, Lloyds Banking Group has made the regulators aware that we would not enforce this on payments and logon given the considerations for vulnerable customers and businesses that may need longer than that period to complete the transaction.
@uktoday_ Lloyds Bank is offering a free £175 with this unique sell #uknews #lloydsbank #costofliving #costoflivingcrisisuk #uknewsheadlines ♬ original sound - UKToday 🇬🇧 Newsquest
“Logons from new devices are verified through secondary verification to customers’ registered phone to establish the trust for any devices used. Given this, there are no customer untrusted devices.”
Starling Bank, NatWest/RBS and HSBC ranked 'safest' for online and mobile security
Starling Bank and NatWest/RBS were ranked top by Which? for online security, with both scoring 87%.
The top-ranked bank for mobile app security was HSBC, with a score of 78%.
HSBC posted solid scores for both its app and website, and researchers found no issues with logout or navigation, Which? said.
In our 22 years as a Premier League partner, we've seen some great title races ⚽
— Barclays Bank (@Barclays) April 23, 2024
Who do you think will lift the 2023/2024 trophy?
Barclays was ranked second in the mobile app rankings, with a score of 74%, but Which? found it had not fixed website management issues it identified last year, such as letting users access accounts from multiple browsers, IP addresses or devices at the same time.
The bank told Which? it uses other controls to assess the risk profile of devices accessing online banking and is planning to add this additional layer of protection later this year.
Sam Richardson, deputy editor of Which? Money, said: “With many people increasingly banking online or on their phones, it’s crucial that the banks we trust with our money have security protections that are up to scratch.
“While our investigation found no major security issues, there were some areas of concern that we think the banks in question need to urgently address, so that sophisticated scammers can’t use loopholes to target innocent victims.
“With fraudsters still relentless in their pursuit of our money and a general election looming, the next government must make fighting fraud a national priority, with a fraud minister installed to work across multiple government departments.”
Why are you making commenting on The National only available to subscribers?
We know there are thousands of National readers who want to debate, argue and go back and forth in the comments section of our stories. We’ve got the most informed readers in Scotland, asking each other the big questions about the future of our country.
Unfortunately, though, these important debates are being spoiled by a vocal minority of trolls who aren’t really interested in the issues, try to derail the conversations, register under fake names, and post vile abuse.
So that’s why we’ve decided to make the ability to comment only available to our paying subscribers. That way, all the trolls who post abuse on our website will have to pay if they want to join the debate – and risk a permanent ban from the account that they subscribe with.
The conversation will go back to what it should be about – people who care passionately about the issues, but disagree constructively on what we should do about them. Let’s get that debate started!
Callum Baird, Editor of The National
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here