Bank security flaws putting customers at risk, warns Which?

Security flaws the websites of banks are putting customers at increased risk of falling victim to fraud, according to an investigation from Which?.

Tests conducted by Which? found that some banks were failing to log users out of systems after periods of inactivity, not adequately blocking weak passwords or sending sensitive information via SMS.

The consumer body also discovered that some banks allowed access to accounts from multiple web browsers or IP addresses at the same time, without flagging this as a potential cyber attack.

Other banks were sending customer notifications which included a phone number or a weblink. Which? said that these can be a gift to scammers, who often replicate texts and emails to trick people into calling them or entering their details on a fake website.

Virgin Money ranked the lowest in the investigation, with Which? saying the bank did not adequately block insecure passwords and remove phone numbers from notifications.

Virgin Money also lacked the necessary security checks to pay someone new, change an email address or edit the details of a payee, it said.

A spokesperson for Virgin Money said: “The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls. A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts.”

Over 29,100 cases of remote banking fraud were reported to UK Finance in the first half of 2022, this included scammers gaining access to customers’ bank accounts and making an unauthorised transfer of money from the account.

Commenting on the news Sam Richardson, Which? Money deputy editor, said: “Banks should not be leaving these open doors for scammers to exploit and must up their game to protect their customers properly.”

He added: “By making improvements, such as blocking weak passwords, banks can take an important step in preventing unscrupulous fraudsters from attempting to steal money and personal data from consumers.”

    Share Story:

Recent Stories


The human firewall: Activating employees to safeguard financial data
As financial services increasingly embrace SaaS and cloud-based technologies, they face emerging threats to safeguard sensitive customer data. While comprehensive IT security measures are essential, the active involvement of employees across organisations is pivotal in ensuring the protection of sensitive data.

Building a secure financial future for instant payments: The convergence of ISO 20022 and fraud detection
The financial landscape is rapidly evolving its approach to real-time transactions under the ISO 20022 standard, and financial institutions must take note. With examples such as the accelerated adoption of SEPA Instant Credit Transfers in Europe and proposed New Payment Architecture (NPA) programme in the UK, the need for swift and effective fraud detection is more crucial than ever.

Data Streaming and Consumer Duty: Transforming customer experience in banking
Introduced at the end of July, the Consumer Duty is a game-changing new set of rules and guidance for financial services institutions in the UK, and companies must look to modernise their systems in adherence with it in mind to create the best customer experience possible.

From insight to action: Empowering financial institutions through advanced technology and collaborative information sharing
The use of Information sharing in enhancing financial crime prevention has been universally agreed as being beneficial. However no-one has been able to agree on how information can be shared safely without breaching data protection laws or having the right systems to facilitate this, Information sharing has re-emerged as a major consideration for financial institutions (FIs) ahead of the Economic Crime and Corporate Transparency Bill being made into law in the UK.