Banks in the UK are exposing customers to fraud risk through flaws in their online banking security systems, a new Which? investigation has found.

While British financial institutions must now carry out extra checks to verify customers, Which? identified security flaws at several banks during the login process.

The research revealed that six banks – HSBC, NatWest, Santander, Starling, The Co-operative Bank, and Virgin Money – let customers choose passwords that include their first name and/or surname.

Santander told Which? that this is being phased out, while NatWest and Virgin Money said that they might increase password limitations following the investigation.

The news comes as cases of internet banking fraud are on the rise, increasing by 97 per cent in the first half of last year, according to the consumer organisation.

The investigation was conducted alongside independent security experts 6point6, which tested the online and mobile app security of the 15 largest current account providers on a range of criteria including encryption and protection, login, and account management and navigation.

The lowest score for online security was received by Metro Bank, with an overall score of just 53 per cent. Several potential weaknesses in subdomains of the bank’s website were found which could allow hackers to compromise the server. Testers also found two security headers missing from its website, which are used to protect against a range of cyberattacks by telling a browser how to behave when it communicates with the website.

“Like all financial institutions we need to remain vigilant to protect our systems and security," said a Metro Bank spokesperson. "In addition, we work with other banks collectively to help guard against fraud."

They added: "We take our customers’ security extremely seriously and have a range of safeguards in place across all channels to help defend them against fraud. As well as the controls which are visible, we have controls in the background which support our customer journeys and provide invisible protection. We are continually evaluating and evolving our controls to prevent fraud.”

Similar subdomain issues were found at First Direct and Lloyds. First Direct addressed the vulnerability as soon as Which? reported it and Lloyds said its subdomain was in the process of being decommissioned and ‘poses no security risk’.

Metro Bank was closely followed by Virgin Money, with a score of 56 per cent, while TSB came in at 59 per cent. FStech has reached out to the banks for comment.

“The safety and security of our banking services is our top priority and we are continually monitoring, assessing and improving our security controls,” said a spokesperson from Virgin Money.

TSB said that it was continuing to invest in strengthening online and mobile protection for customers and has introduced a number of features recently which aren’t captured in the results.

"Additionally, TSB tracks well across the industry on fraud with lower than average fraud losses," added a spokesperson from the bank. "In contrast to the wider industry, we are the only bank that offers a guarantee to refund our customers should they ever fall victim to bank fraud.”

The investigation also discovered that ethical bank Triodos allows users to set insecure security words, including ‘password’, ‘1234567’, and ‘admin’. Which? said that while the risk is mitigated by a two-factor authentication at login in, there is “no excuse” for a bank to allow such weak credentials.

"Since Which? undertook this analysis we have rectified the error in automatic log out on our online banking and – while we already have Confirmation of Payee set up for inbound payments – it will also be functional for our customers’ outbound payments very shortly," said Gareth Griffiths, head of retail banking, Triodos Bank UK. "While our focus as a bank is on sustainability and ethics, we are also committed to providing a great customer experience and offering award-winning customer service.”

TSB, Lloyds, Metro, Nationwide, Santander, and The Co-operative Bank also all still use SMS texts to verify customers when they log in. This can leave messages at risk of being hijacked by cybercriminals.

Santander and The Co-operative Bank told Which? that they are looking to move away from SMS.

Which? also found that Nationwide, TSB, and Virgin Money were failing to use software that ensures spoof messages sent by potential scammers are blocked or quarantined by email providers.

TSB told Which? it has since introduced this protection. Virgin Money said this is in the works. Nationwide said it operates ‘a range of email security controls’ to protect members.

HSBC fared the best, with a score of 81 per cent – it was the only bank to score five stars for both website encryption and account management. It was rated A+ for cipher strength because it supports the latest encryption standards.

“Banks must lead the battle against fraud, yet our security tests have revealed worrying flaws when it comes to keeping people safe from the threat of having their account compromised,” said Jenny Ross, Which? money editor. "Our research reinforces the need for banks to up their game on tackling fraud by using the latest protections for their websites and not allowing customers to set insecure passwords.

"We also want banks to stop sending sensitive data to customers via SMS texts as this could leave the door open to fraudsters.”

Share Story: