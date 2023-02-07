Edinburgh-based TSB and Virgin Money, which owns Clydesdale Bank have been identified amongst several banks who were missing basic online and app protections.

It comes as UK Finance, which represents 300 banks, found 29,102 cases of remote banking fraud were reported in the first half of 2022 leading to losses of £84.8m. This involves unscrupulous scammers gaining access to consumers’ bank accounts via their internet, telephone or mobile banking and making an unauthorised transfer of money from the account.

Research by the consumer organisation Which tested the customer-facing customer-facing security systems of 13 current account providers from September to November 2022, with help from independent security experts at Red Maple Technologies.

The banks were scored across four key categories – login, navigation and logout, account management and encryption – for both their online banking security and app security.

Among other issues, banks were marked down for not adequately blocking weak passwords, sending one-time passcodes or other sensitive information via text messages, which is the least secure approach, and failing to log customers out after five minutes of inactivity.

They also lost points for allowing access to accounts from multiple web browsers or IP addresses at the same time, without flagging this as a potential cyber attack, and for sending customers notifications that include a phone number or web link. The latter can be a gift to scammers who often replicate texts and emails to trick people into calling them or entering their details on a fake website.

Clydesdale owner Virgin Money got the lowest total scores for online (52%) and app (54%) banking. Virgin Money’s poorest scores for online banking were in the navigation and logout and account management categories – it got two stars out of five for both. It also scored just two stars for the encryption on its app.

Red Maple Technologies found six outdated Virgin Money web applications which had potential vulnerabilities.

The bank noted minor vulnerabilities on three and said these will be corrected.

The research found that Virgin Money did not adequately block insecure passwords and remove phone numbers from notifications.

And it found "worryingly" that there were no security checks to pay someone new, change an email address or edit the details of a payee.

Which? had several concerns when it came to Edinburgh-based TSB, which scored 57% for its app, the second lowest, but got a slightly higher score of 66% for its online offering.

It found that it still asked basic security questions such as ‘name your favourite food’ to recover login details.

It also failed to block insecure passwords and only required six characters when banks should encourage much longer passwords.

Red Maple Technologies found a "potentially vulnerable" subdomain and two outdated which Which was told would be removed in 2023.

TSB also lost points for using SMS-based security, not sending alerts when sensitive account changes were made and including phone numbers in new-payee notifications.

Starling came out top for online banking security (82%), scoring five stars in almost every category.

The consumer organisation believes the banking industry must improve its cyber defences against scammers, who are becoming increasingly sophisticated in their methods.

The consumer champion wants improvements that would see weak passwords blocked and also believes that sensitive data should not be sent via SMS text messages as these can be intercepted.

They say that if the worst happens and consumers do fall victim to remote banking fraud, in many cases they will be entitled to a refund from their bank.

Sam Richardson, Which money deputy editor, said: “Banks should not be leaving these open doors for scammers to exploit and must up their game to protect their customers properly.

“By making improvements, such as blocking weak passwords, banks can take an important step in preventing unscrupulous fraudsters from attempting to steal money and personal data from consumers.”

A spokesman for Virgin Money said: “The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls. A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts.”

A TSB spokesman added: “We continue to invest in our online and mobile services – and work with globally-leading tech firms to deliver both security and accessibility to our customers. Which’s investigation is only front-end – and therefore does not detect the back-end capabilities we have in place that strengthen customer safety every day. TSB also tracks well across the industry on fraud prevention and we are the only bank that protects its customers with a guarantee to return their money should they ever fall victim to fraud.”