A new report says that major safety gaps in the online banking security systems of some of the UK’s biggest banks have been exposed by a new investigation by consumer group Which?
Banks have “concerning vulnerabilities” in security that could leave their customers exposed to fraud, according to the investigation by Which? and independent security experts 6point6.
The investigation looked at four main criteria: encryption, login, account management and navigation.
Tesco Bank received the lowest rating for online security in Which?’s testing, with an overall score of 46%.
Multiple security headers were missing from its webpages, the investigation found. Security headers protect customers against a range of cyberattacks, by telling users’ browsers how to behave when they communicate with the website.
Tesco Bank also failed to block testers from logging in to its website from two computer networks at the same time and also did not log out when switching to a different website or using the forward or back button to leave the session and return to it.
In response to the findings, Tesco Bank said: “The security of our customers’ accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money. Not all of these controls are obvious or visible to customers, but each of them serves to protect customers and all are in line with industry standards.
“We use the latest technology to protect and manage the security of Online Banking and our Mobile Banking App and all our controls are constantly reviewed to ensure they remain fit for purpose, giving customers peace of mind they can bank safely and securely with us.”
TSB finished second from bottom in the ranking with a score of 51%. The bank’s login process did not meet new regulations on “strong customer authentication” (SCA), introduced in March, the research found.
When Which? reported TSB’s non-compliance to the Financial Conduct Authority (FCA), it said that it “doesn’t comment on specific firms and would not confirm how many firms have been granted an effective SCA extension in relation to online banking,” according to Which?
To gain access, the TSB website only asked for fixed account details such as a name and password, which gives limited protection against cyberattacks. Under the SCA regulation, banks must add an extra layer of identification checks to ensure it is the customer logging into the online account.
TSB told Which? in November 2020 that it is “compliant with the regulation for all new customers and that SCA is being rolled out for existing online and mobile customers, but could not say when this will be completed.”
The forced upgrade has since been added for all mobile app users but is still in the process of being launched for online banking users.
TSB does offer a fraud refund guarantee, which means most customers who are victims of scams do get their money back.
TSB said: “Providing customers with safe and secure banking is a priority and we continue to invest in strengthening online and mobile protection for customers. We are the only bank that offers a guarantee to refund all innocent victims of fraud — including those who lose money to online scams.”
Santander came third from bottom in the ranking with a score of 62%. The researchers were able to bypass authentication checks when logging in to the bank’s website by designating a device as “trusted.” While Santander said it does require reauthorisation if it detects unusual activity, there is no option to view or “distrust” these devices, according to Which?
A Santander spokesperson said: “Santander takes online security very seriously and we invest a great deal in cyber security and fraud prevention and ensuring we protect our customers’ money and data safely and effectively.
“The Which? review only focuses on the customer-facing elements of security and it is important to understand that there are many other ‘back end’ measures that we employ to ensure we keep our customers safe whilst offering optimum customer experience.”
Starling Bank came top of the table for online security measures, scoring 85%. Its recently launched online banking website showed “nothing concerning.” This is partly due to “limited functionality,” as users can only change sensitive data through its app.
“Unlike most banks, there were no issues with missing security headers and it scored top marks for encryption,” according to Which?”
To read full article on Yahoo CLICK HERE