SCOTS banks have come under fire over worrying flaws in online banking security systems that could leave customers exposed to fraud.

A new investigation has found that some banks including Clydesdale owners Virgin Money and the Scotland-based TSB and RBS group are still failing to use the latest protections for their websites and allowing users to set insecure passwords.

With cases of internet banking fraud up 97 per cent in the first half of 2021, there is concern too many banks are still neglecting important security protections.

A new probe into security at 15 of the largest account providers carried out in November for the consumer organisation Which by independent security experts 6point6, found Virgin Money and Edinburgh-based TSB ranked in the bottom three for security.

The study which took in a range of criteria including encryption and protection, login, and account management and navigation, ranked Metro Bank bottom for online security with an overall score of just 53 per cent, followed by Virgin Money (56%) and TSB (59%).

HeraldScotland: Metro Bank is coming to Clapham High Street. Photo: Thomas Alexander

Banks must now carry out extra checks to verify customer identity as passwords can be easily guessed or stolen, but Which found security flaws at several banks during the login process.

Six banks including Virgin Money and the Edinburgh-based taxpayer-owned Royal Bank of Scotland group, now known as NatWest let you choose passwords that include your first name and/or surname.

Santander said this was being phased out and NatWest and Virgin Money said they might increase password limitations after the investigation. The rest of the six were Starling, HSBC and the The Co-Operative Bank.

The research found that TSB, Bank of Scotland owners Lloyds, Metro, Nationwide, Santander and The Co-operative Bank also all still use SMS texts to verify a log in, leaving messages "at risk of being hijacked by cybercriminals". Santander and The Co-operative Bank said they are looking to move away from SMS.

They also found that TSB, Virgin Money and Nationwide were failing to use software that ensures spoof messages sent by potential scammers are blocked or quarantined by your email provider. TSB has said it has since introduced this protection, Virgin Money said it was in the works and Nationwide said it operates ‘a range of email security controls’ to protect members.

HSBC came out on top for securitiy, with a score of 81 per cent. It was the only bank to score five stars for both website encryption and account management. It was rated A+ for cipher strength because it supports the latest encryption standards.

In a test of each provider’s banking app Virgin Money and TSB again were were amongst the lowest ranked.

Lloyds, Nationwide, Santander, and TSB dropped points because online and mobile banking require the same login credentials - with the consumer organisation saying it would prefer banks to ask for app-specific passcodes.

Which said: "While online banking is a largely safe way to manage money, scammers are upping their game and the industry needs to keep pace.


"That is why we are calling for banks to work much harder to upgrade online security so they are providing high levels of protection for customers.

"If a fraudster does breach a bank’s defences and you lost money as a result, you have a legal right to a refund from your bank – unless it can demonstrate that you were ‘grossly negligent’ – in other words, unusually careless with your security details."

Last year TSB was reported to the finance regulator for failing to comply with the rules over online banking security .

Concerns were raised with the Financial Conduct Authority (FCA) about Edinburgh-based TSB's online banking login process as it joined Edinburgh-based Tesco Bank as the worst in the UK in a probe into flaws in online banking security that could help criminals to scam customers.

Jenny Ross, Which money editor said: “Banks must lead the battle against fraud, yet our security tests have revealed worrying flaws when it comes to keeping people safe from the threat of having their account compromised.

“Our research reinforces the need for banks to up their game on tackling fraud by using the latest protections for their websites and not allowing customers to set insecure passwords. We also want banks to stop sending sensitive data to customers via SMS texts as this could leave the door open to fraudsters.”


A TSB spokesman said: “We continue to invest in strengthening online and mobile protection for customers and have introduced a number of features recently which aren’t captured in these results. Additionally, TSB tracks well across the industry on fraud with lower than average fraud losses. In contrast to the wider industry, we are the only bank that offers a guarantee to refund our customers should they ever fall victim to bank fraud.”

A Virgin Money spokesperson said: “The safety and security of our banking services is our top priority and we are continually monitoring, assessing and improving our security controls.”

A Lloyds Banking Group spokesman said: “Keeping our customers’ money and data safe is our priority and we have robust, multi-layered security across online and mobile banking services to protect against cyber security threats. We employ world-class experts in the cyber-security field, who work to deliver the right balance of online security measures, customer experience and accessibility. We continuously evolve and invest in our safeguards and have fully decommissioned the legacy Lloyds Bank sub-domain referenced.”

A NatWest Group spokesman added: “Security continues to be a high priority for NatWest Group to keep our customers and the bank safe. We continue to invest in our digital security capabilities, leveraging market leading technologies – for example, multi-factor authentication and our work on biometrics – to deliver simple and secure banking services for our customers.”