Intelligent Issue 05 | Page 25

Which ? research has found that basic security flaws on some of the biggest banks ’ websites and apps are putting consumers at increased risk of falling victim to fraud .

The research comes after 29,102 cases of remote banking fraud were reported to UK Finance in the first half of 2022 . This involves unscrupulous scammers gaining access to consumers ’ bank accounts via their internet , telephone or mobile banking and making an unauthorised transfer of money from the account .
Which ? tested the customer-facing security systems of 13 current account providers from September to November 2022 , with help from Red Maple Technologies . The banks were scored across four key categories – login , navigation and logout , account management and encryption – for both their online banking security and app security .
Among other issues , banks were marked down for not adequately blocking weak passwords , sending one-time passcodes or other sensitive information via text messages , which is the least secure approach and failing to log customers out after five minutes of inactivity .
They also lost points for allowing access to accounts from multiple web browsers or IP addresses at the same time , without flagging this as a potential cyberattack and for sending customers notifications that include a phone number or web link . The latter can be a gift to scammers who often replicate texts and emails
Recently , Which ? revealed that poor bank security is putting consumers at risk from fraud . To address this , we asked two experts about what can banks do to better protect themselves and their customers . They share their thoughts below .


to trick people into calling them or entering their details on a fake website .
Virgin Money got the lowest total scores for online ( 52 %) and app ( 54 %) banking . Virgin Money ’ s poorest scores for online banking were in the navigation and logout and account management categories – it got two stars out of five for both . It also scored just two stars for the encryption on its app .
Red Maple Technologies found six outdated Virgin Money web applications which had potential vulnerabilities . The bank noted minor vulnerabilities on three and said these will be corrected . Virgin Money did not adequately block insecure passwords and remove phone numbers from notifications . Worryingly , there were no security checks to pay someone new , change an email address or edit the details of a payee . Which ? also found issues with website session management , though the bank said it plans to improve this in early 2023 .
Which ? had several concerns when it came to TSB , which scored 57 % for its app , the second lowest , but got a slightly higher score of 66 % for its online offering . It still asks basic security questions such as ‘ name your favourite food ’ to recover login details . It also failed to block insecure passwords and only requires six characters – banks should encourage much longer passwords . Red Maple Technologies found a potentially vulnerable subdomain , which TSB said will be removed in 2023 and two outdated web applications .

E D I T O R ’ S Q U E S T I O N