Consumer group says online banking security flaws drive customers to fraud


According to whom online banking customers are being exposed to some worrying fraud risks?

The consumer group is urging providers to “up their game” by using the latest security for their websites and not allowing customers to set insecure passwords.


It conducted an investigation with security experts 6Point6, which tested the online and mobile app security of 15 major current account providers on a range of criteria, including encryption and security, login, and account management and navigation.

Six banks – HSBC, NatWest, Santander, Starling, Co-Operative Bank and Virgin Money – let people choose passwords that include their first name and/or surname, the research found.


Santander told which one? It was being phased out, while NatWest and Virgin Money said it could now raise password limits.

TSB, Lloyds, Metro, Nationwide, Santander and Co-Operative Bank also used text to verify people when they logged in, leaving messages at risk of being hijacked by cybercriminals, which one? said.

Whom did the Santander and Co-Operative Bank tell? They wanted to get away from it.


Who? It also claimed that Nationwide, TSB and Virgin Money were not using software that ensured that spoofed messages sent by potential scammers were blocked or quarantined by the email provider. TSB told which one? It has introduced this protection ever since. Virgin Money said it is in the process of doing so. Nationwide said it has “a series of email security controls” in place to protect members.

Scoring five stars for website encryption and account management, HSBC came out most favorably for online banking security. First Direct, a division of HSBC UK, was ranked top for mobile app security.

Who? Tested online and mobile app security of 15 major current account providers and found six that allowed customers to use passwords that included their first name or surname

Metro Bank was put down for online security, while Monzo was put down by For mobile app security.


Who? While Monzo didn’t ask people to log in every time, the bank said it was “a conscious design decision to strike a balance between risk and customer experience”.

A Monzo spokesperson said: “We strongly disagree with this assessment. Each sensitive action or payment procedure requires the customer to provide additional authentication, in the form of a PIN or biometrics, associated with being logged into the Monzo app. The risk is extremely low.

“We take security incredibly seriously and are focused on the policies and practices we believe are safest for Monzo customers.”

Metro Bank said: “Like all financial institutions, we need to be vigilant to protect our systems and security.

“In addition, we work closely with other banks to help prevent fraud. We take the safety of our customers extremely seriously and take a number of security measures.”

Who? Said said the criteria it looked at included encryption and security, login, account management and navigation. It said that every bank and building society has security procedures in place behind the scenes and it is not possible for whom? To test them legally.

Jenny Ross, which one? Money Editor said: “Banks must lead the fight against fraud, yet our security tests have revealed worrying loopholes to keep people safe from the threat of their accounts being compromised.

“Our research reinforces the need for banks to up their game to tackle fraud by using the latest security for their websites and not allowing customers to set insecure passwords. We also want banks to stop sending sensitive data to customers through SMS messages as it can leave doors open for fraudsters.”

TSB said it has a number of security features that are not included in the results and highlighted its fraud return guarantee. Virgin Money said: “We are continuously monitoring, evaluating and improving our security controls.” The co-operative bank said it continuously reviewed controls to maintain safe banking.

HSBC Group said: “We deploy advanced cyber security controls and identify and respond to threats in a timely manner.”

Lloyds Banking Group said: “We have robust, multi-layered security in our online and mobile banking services to protect against cybersecurity threats. We employ world-class experts in the field of cyber security.”

Nationwide said: “We provide round-the-clock security by tracking our systems and tracking suspicious activity.”

NatWest Group said: “We continue to invest in our digital security capabilities.” Santander said it continues to make “a huge investment in keeping our customers safe.”

Starling Bank said it has built security technology into its apps and systems to “give customers an easy-to-use, secure, intuitive experience”.

Go here for stories about where you live in your area.

,