Report Identifies Weaknesses in Online Banking Security

Some UK banks are letting their customers down with poor authentication and web security issues, according to a consumer rights group.

Which? once again teamed up with independent security consultants 6point6 to appraise the “front-end” security of 15 current account providers. It looked at four criteria: encryption and protection, login, account management and navigation.

The report found that, while all lenders followed strong customer authentication (SCA) rules as laid down in European banking regulations, some exposed their customers to SIM swapping attacks.

That’s because they used two-factor checks using SMS, which hackers can intercept if they have tricked the victim’s network operator into transferring their mobile phone number to a SIM under the attacker’s control.

Lloyds, Metro, Nationwide, TSB, Santander and The Co-operative Bank all dropped points in the tests for this, although the latter two claimed they’re “looking to move away from SMS,” according to Which?.

The report also highlighted issues with insecure passwords.

“We were shocked to find that Triodos lets customers set insecure security words, including ‘password’, ‘1234567’ and ‘admin.’ The risk is mitigated by a two-factor authentication at login (using its physical ‘Digipass’ device) but there is no excuse for a bank to allow such weak credentials,” it argued.

“Six banks (HSBC, NatWest, Santander, Starling, The Co-operative Bank, and Virgin Money) let you choose passwords that include your first name and/or surname. Santander told us this is being phased out, and NatWest and Virgin Money said they might increase password limitations after our investigation.”

Virgin Money was also singled out for allowing the researchers to set up a new payee without additional security steps.

The report also revealed three banks with vulnerable subdomains that could potentially be compromised, and one banking app which doesn’t require users to log in each time.

Overall, HSBC came top in the online banking security tests with a score of 81%, and First Direct was in first place for mobile banking security, with a score of 77%.