WEAKNESS in some banks' security could leave customers exposed to scammers, a new Which? investigation has found.
With more people than ever before using mobile banking, criminals are increasingly viewing mobile phones as gateways to consumers' personal details.
The consumer champion has rated the best and worst firms for keeping customers safe.
Which? researchers tested banking website and app security across four key criteria for a total score of 100%.
- Login procedures
- Security best practice
- Account management
- Navigation and logout
While all firms do use multilayered security that helps reduce the likelihood of major security breaches, Which? believes that some firms that finished towards the bottom of the rankings fell short of the high standards customers should expect.
Read more in money
BOTTOM OF THE PILE
TSB scored 54%t for its mobile app security and 67% for its online security - the lowest and second-lowest scores, respectively.
The firm was the only one to score just two stars for online account management and just two stars for security best practice for its app.
The most serious problem the security best practice tests discovered was a "medium-risk" issue on the TSB app.
Its improper handling of sensitive data meant that it could be read by other apps running on the phone, making it more likely that other apps could access them.
Most read in Money
TSB told Which? that the matter was under review and a fix will be "considered in the future".
The bank also sent a phone number in an SMS alert, which could be replicated by scammers.
TSB told Which?: "We have removed phone numbers from the vast majority of SMS alerts with this alert being the final in plan for updating to remove the phone number."
TSB's password requirements are still only six characters and users can still choose a range of insecure passwords, which are easier for scammers to crack, Which? said.
A TSB spokesperson said: "We continue to strengthen the security of our internet and mobile banking while delivering a positive and convenient user experience for customers.
"That's reflected in our high app store ratings."
Which? also uncovered problems with The Co-operative Bank's security measures.
The bank came bottom of the online security table, with a score of just 61%.
It got three stars for both account management and navigation.
When it came to security on its mobile app, The Co-operative Bank came second-last, with a of 57%.
The firm was one of three rated average (three stars) for login security, and it was the only bank to fail to require a two-factor authentication 92FA) login on a test laptop.
2FA protects your accounts by requiring an extra level of verification before logging in – such as a text confirmation.
The bank also fails to block customers from setting weak passwords.
The Co-operative Bank said: "The security of our customers' accounts is always our top priority.
"Customers can be assured we have robust security measures in place to protect them and their money.
"We are constantly reviewing and enhancing our security controls and we will be delivering a number of further improvements in 2024 to give our customers peace of mind that they can continue to bank safely and securely with us."
Lloyds was the only bank that failed to log out website users after five minutes of inactivity, Which? found, despite this being a regulatory requirement.
The bank told Which? that this makes things easier for vulnerable customers.
THE BEST PERFORMERS
Starling, NatWest, and RBS were at the top of the pile for online security, with both posting impressive total scores of 87%.
While both firms scored four stars for login security online, they both posted a full five stars for security best practices, account management and navigation.
The best performing bank for mobile app security was HSBC, with a total score of 78%.
HSBC posted solid scores for both its app and website, and unlike many of its high street rivals, it does not rely on SMS for login, and researchers found no issues with logout or navigation.
While Barclays finished second in the mobile app rankings, with a highly respectable total score of 74%, it is still yet to fix the website management issues Which? identified last year.
These issues include letting users access accounts from multiple browsers, IP addresses or devices at the same time, which could be flagged as a potential attack by cybercriminals.
The firm told Which? it uses other controls to assess the risk profile of devices accessing online banking, and is planning to add this additional layer of protection later this year.
Sam Richardson, deputy editor of Which? Money, said: "With many people increasingly banking online or on their phones, it's crucial that the banks we trust with our money have security protections that are up to scratch.
"While our investigation found no major security issues, there were some areas of concern that we think the banks in question need to urgently address, so that sophisticated scammers can’t use loopholes to target innocent victims.
"With fraudsters still relentless in their pursuit of our money and a general election looming, the next government must make fighting fraud a national priority, with a Fraud Minister installed to work across multiple government departments."
SIX TIPS TO STAY SAFE ONLINE
WHICH? has shared its six tips for banking customers to stay safe online.
These include:
- Protect your mobile: Having your phone stolen needn’t put your money at risk. Add a unique Pin to your Sim card, register for Google’s Find My Device or Apple's Find My iPhone, and disable preview notifications. These flash up messages even when your phone is locked.
- Don't use an out-of-date device: Updates contain security patches for new vulnerabilities, so if you bank online, don't use a device that’s no longer supported.
- Choose strong, unique passwords: Avoid repeat or simple passwords – too many banks have failed to block this. Use a password manager if you struggle to remember them.
- Keep your phone and bank cards separate: Never leave your mobile phone and bank cards unattended together – a thief could pass security checks when armed with both.
- Check your social media profiles for details: Remove personal data (email, date of birth, phone numbers) from online profiles, as this raises your risk of identity theft. Only accept friend requests from people you know. What you put online is public, so never use anything that's out there in a password or security question.
- Act quickly: If you spot an unauthorised payment or changes you don’t recognise, report it immediately. Many banks let you freeze your debit card via their app, or they offer a 24/7 helpline to report lost and stolen cards.
How to report scams
If you think you have been a victim of a scam, you should report it to your bank as soon as possible.
There is no guarantee you'll get your money back, but banks will often compensate you if you can show you did not know the money would leave your account.
You can forward scam emails to [email protected].
If you notice a website that doesn't look quite right, you can also report it to the National Cyber Security Centre by visiting www.ncsc.gov.uk/section/about-this-website/report-scam-website.
You should also contact your provider and report it to Action Fraud, which will give you a crime reference number.
You can do this online by visiting or by calling 0300 123 2040.
READ MORE SUN STORIES
If you're in Scotland, report a scam through Advice Direct Scotland online by visiting www.consumeradvice.scot. You can also report scams to Police Scotland on 101.
If you need further help, contact Citizens Advice Scams Action by visiting www.citizensadvice.org.uk/consumer/scams/get-help-with-online-scams or calling 0808 223 1133.