Banks are putting customers at risk of fraud by texting security codes, according to a study.
In a survey of 13 checking account providers, which one? found that many were sending a one-time passcode via SMS despite the consumer group saying this was the least secure way to authenticate customers because criminals were increasingly intercepting these types of messages.
Instead, the group gave top marks to banks that asked customers to use a card reader or their mobile banking app to log in every time.
He identified the vulnerability as one of a series of security flaws in the websites and apps of some of the largest banks, which he said were putting consumers at greater risk of falling victim to fraud.
Insecure passwords, lax new beneficiary controls, and vulnerable login processes are among the weaknesses found by the consumer group.
Fraud costs £85m in six months
It follows reports of 29,102 remote banking frauds worth almost £85m to UK Finance, the industry body, in the first half of 2022.
For research, which one? tested the customer-facing security systems of 13 checking account providers from September to November 2022, with the help of independent security experts from Red Maple Technologies.
Banks were rated in four key categories: login, browsing and logout, account management, and encryption, for both their online banking security and the security of their applications.
Among other issues, banks were flagged for failing to properly lock down weak passwords, sending one-time passcodes or other sensitive information via text message, which is the least secure approach, and failing to log customers out. after five minutes of inactivity.
For logins, which include password checks and access code processes, HSBC topped the ranking with five out of five stars, followed by Starling, Lloyds, First Direct, Nationwide and Virgin Money with four stars. TSB, Santander, Barclays and NatWest received three stars.
Virgin Money had the lowest overall scores for online banking (52 percent) and banking apps (54 percent). The study found six outdated Virgin Money web applications that had potential vulnerabilities.
Virgin Money did not properly block insecure passwords and removed phone numbers from notifications, according to the investigation. It also found that there were no security checks for paying someone new, changing an email address or editing a payee’s details.
‘Robust multi-layer controls’
A Virgin Money spokesperson said: “The safety and security of our banking services is our top priority, and we are continually monitoring, evaluating and improving our security controls.
“Several of the points raised in this investigation relate to decisions we have made to improve the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customer accounts.”
TSB scored 57 percent for its app, the second lowest, but scored a slightly higher 66 percent for its online offering.
Which? she said she still asks basic security questions like “name your favorite food” to retrieve login details. She also couldn’t block insecure passwords and only required six characters. There was also a potentially vulnerable subdomain, which TSB says will be removed in 2023, and two outdated web apps.
TSB also lost points for using SMS-based security, not sending alerts when sensitive account changes were made, and including phone numbers in new beneficiary notifications.
A TSB spokesperson said: “We continue to invest in our online and mobile services, and work with leading global technology firms to provide security and accessibility for our customers.
“TSB also has a good track record in the industry when it comes to fraud prevention and we are the only bank that protects its customers with a money-back guarantee should they ever fall victim to fraud.”