A SCOTS bank has been reported to the finance regulator for failing to comply with rules over online banking security.
Concerns have been raised with the Financial Conduct Authority (FCA) about Edinburgh-based TSB bank's online banking login process as it joined Edinburgh-based Tesco Bank as the worst in the UK in a probe into flaws in online banking security that could help criminals to scam customers.
The consumer organisation Which? found in test of their online banking conducted in September, that they did not meet new regulations on "strong customer authentification" (SCA) introduced in March.
It found there was a breach because all that was required to log in to the account was the username and password, and there was no second stage, such as being sent a passcode via text.
The second stage should have been part of the login process, as it became a requirement for banks in March.
It came as part of an investigation scrutinising the online banking safety measures in place across the largest current account providers, with the help of independent security experts 6point6.
It found that some of the biggest banks, such as Santander, Tesco Bank and TSB, had "concerning vulnerabilities" in security that could leave their customers exposed to fraud.
It is now calling for the voluntary code which compensates blameless bank transfer scam victims to be made mandatory.
While online banking is a largely safe way to manage money and this is being enhanced by measures such as behavioural biometrics, where firms analyse the unique way you hold a device, to stop fraud, the consumer organisation said it was concerned that the issues exposed by its investigation "highlight that banks could do more to prioritise security above all else".
"In some of these instances, there is the potential for scammers to access information which could be used as the building blocks of a sophisticated scam - arming a fraudster with enough sensitive information to pull off convincing cons, such as posing as a bank employee to persuade a customer to transfer money from their bank account to a fraudulent one," said the consumer organisation."
But Which? said that the victims of these scams - which potentially have lax bank security measures at their heart - then face a "double blow" as some "disregard" the obligations to reimburse victims that they signed up to last year.
Tesco Bank received the poorest rating for online security in Which’s testing, with an overall score of just 46 per cent.
Researchers found multiple security headers missing from its webpages - considered important as they protect against a range of cyberattacks, by telling the browser how to behave when it communicates with the website.
It also failed to block testers from logging in to the website from two computer networks at the same time. And found that online banking failed to log out consumers when switching to a different site .
It also found that the website failed to log out consumers when switching to a different website or using the forward/back button to leave the session and return to it.
TSB finished second from bottom with a score of 51 per cent.
But the research found that TSB customers do at least enjoy some "peace of mind" due to the bank’s fraud refund guarantee, which ensures the "vast majority" of scam victims get their money back.
Santander rounded off the bottom three, with a score of 62 per cent. Testers found that authentication checks when logging in can be bypassed if a user designates a device as ‘trusted’.
It was the not so big names that performed better.
Starling came out on top, with a score of 85 per cent. Experts found nothing concerning with its recently launched online banking website.
But they said this is partly due to limited functionality, as users can only change sensitive data via the app.
Unlike most banks, there were no issues with missing security headers and it scored top marks for encryption.
Which? is calling for the voluntary bank transfer scams code to be overhauled so that stronger consumer protections and reimbursement for fraud victims become mandatory for all banks and payment providers.
The code developed by the banking industry and consumer groups and launched in May, 2019, compensates those who are tricked into transferring money directly to a fraudster, in situations where neither the victim, nor their bank, is to blame.
Previously, victims of authorised push payment (APP) scams had lost large amounts of cash forever, because they had authorised the transfer and so were not entitled to claim the money back from their bank.
More than £89.2 million has been reimbursed to thousands of customers since the code was introduced.
But concerns persist that banks are not applying the code in a uniform manner and may sometimes be interpreting the code too narrowly by expecting customers to have sophisticated financial knowledge or relying on customers seeing generic scam warnings as a reason to turn down claims.
Which? said the FCA should be required to regularly publish reimbursement rates of individual banks so consumers can check on their account provider’s performance.
Many of the banks included in the investigation were signed up to the industry code on bank transfer scams, which pledges to reimburse scam victims who are not at fault.
However, the number of victims who get their money returned by banks is worryingly low, standing at around the 40 per cent mark, the consumer organisation said.
Because firms apply the code inconsistently and are not required to publish their reimbursement rates, scam victims face a "lottery" when it comes to getting their money back, it said.
Harry Rose, editor of Which? said: “Banks must lead the battle against fraud, yet our security tests have revealed a big gap between the best and worst providers when it comes to keeping people safe from the threat of having their account compromised.
“The serious failings we have exposed with some providers reinforce the need for banks to up their game on scam protections, and for greater transparency and stronger standards on fraud reimbursement to be made mandatory for all banks and payment providers.”
TSB said: "Providing customers with safe and secure banking is a priority and we continue to invest in strengthening online and mobile protection for customers.
"We are the only bank that offers a guarantee to refund all innocent victims of fraud – including those who lose money to online scams."
Tesco Bank said it will consider the findings when prioritising "potential areas for further enhancement" to customer security this year "against other customer and risk priorities"
"At Tesco Bank, we take the security of our customers very seriously. Many of the security measures we use on customers’ behalf are not visible to external parties, and these measures invalidate a number of the findings of this survey. Customers can be assured we have robust security measures in place to protect them and their accounts.
“We use the latest technology to protect and manage the security of online banking and our mobile banking app, giving customers peace of mind they can bank safely and securely with us. All of our controls are under constant review to ensure Tesco Bank is and remains a safe place to bank."
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel