Vladimir Gerasimov - stock.adobe

Online banks still riddled with cyber security flaws, report says

Online bank Virgin Money was found to have the weakest online and application security measures in a Which? study but Nationwide, TSB and The Co-Operative Bank all failed on multiple points, too.

The websites and mobile applications of some of the UK’s most popular retail banks are riddled with security flaws that are putting consumers at risk of falling victim to digitally enabled fraud, according to a report from consumer organisation Which?.

Out of the banks assessed by Which? and security testing specialists Red Maple, Virgin Money, Nationwide, TSB and The Co-Operative Bank scored lowest for website security, while the most secure services were offered by Starling, HSBC, NatWest and Lloyds. First Direct, Barclays and Santander all scored somewhere in the mid-range.

For mobile app security, for which Red Maple also tested US newcomer Chase, and Monzo, the worst scorers were Virgin Money, TSB and Lloyds, and the most secure HSBC, Barclays and Starling.

Banks found themselves marked down on multiple measures, including failing to block weak passwords, sending one-time passcodes and sensitive data via SMS, and whether inactive customer browser sessions timed out or not. Points were also docked for allowing account access via multiple browsers or IP addresses at once.

“Banks should not be leaving these open doors for scammers to exploit and must up their game to protect their customers properly,” said Sam Richardson, deputy editor at Which? Money.

“By making improvements, such as blocking weak passwords, banks can take an important step in preventing unscrupulous fraudsters from attempting to steal money and personal data from consumers.”

Virgin on risky

Virgin Money, which was also one of the worst-rated banks in Which?’s 2022 study, scored just 52% overall out of a possible 100% on its website, and 54% on its app. It found to have the weakest measures in place. Virgin Money failed on multiple counts but in particular on navigation and logout and account management.

Red Maple said it found a total of six outdated Virgin Money apps with potential vulnerabilities. Of particular concern, Virgin Money does not properly block weak passwords or redact phone numbers on notifications, nor does it impose security checks if an account holder wants to make a payment to somebody new, change an email address, or edit a payee’s details.

Testing criteria

Which? and Red Maple conducted tests across four categories:

  1. Encryption, covering aspects such as transport layer security (TLS), domains and subdomains that shouldn’t be publicly exposed but are, scripts that load from external sources, and whether or not mobile apps run on rooted devices;
  2. Login, covering what banks ask customers for when logging in, including whether or not they allow insecure passwords, or whether they require the customer to use an individual card reader to access their accounts, and the use of easily compromised SMS passcodes;
  3. Account management, covering how banks allow customers to make and verify changes to their details;
  4. And navigation and logout, covering aspects such as session management policies governing simultaneous access on multiple browsers, and session timeout policies if a user goes inactive.

TSB, which scored 66% for its website and 57% for its app, was found to have a highly lax and outdated approach to password security, and for exposing a potentially vulnerable subdomain to the public internet. It was also docked points for still using SMS-based security, not alerting users to changes, and including phone numbers in new-payee notifications. Nationwide, which scored 63% for online and 67% for mobile banking, slipped up when it came to notifying customers of changes to details.

“The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls,” said a Virgin Money spokesperson.

“A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts.”

A TSB spokesperson said: “'We continue to invest in our online and mobile services – and work with globally leading tech firms to deliver both security and accessibility to our customers. TSB also tracks well across the industry on fraud prevention, and we are the only bank that protects its customers with a guarantee to return their money should they ever fall victim to fraud.”

A Nationwide spokesperson added: “Nationwide takes the security of its members and their money very seriously. We are never complacent and conduct regular testing of our systems to ensure that we maintain an appropriate level of protection, whilst ensuring a positive user experience. We will take the points raised by Which? on board as we continue to evolve our digital services.”

At the other end of the spectrum, Starling scored well across all categories, and was particularly commended for its joined-up approach to online and app security – it uses its app to authorise online logins and alert customers to suspicious activity. HSBC also performed consistently well, with few issues found on either its website or app.

Which? called for the retail banking sector to do more to improve cyber defences against increasingly sophisticated scammers, and is urging the industry to make improvements that would see weak passwords blocked, and a more mature approach to data sharing.

Read more about fraud

Read more on Hackers and cybercrime prevention

Data Center
Data Management