Banks accused of neglecting customer security measures
Many UK retail banks are leaving their clients uncovered to fraud by neglecting to implement web site protections and permitting customers to set laughably insecure passwords to make use of their on-line providers, according to consumer rights organisation Which?.
Which?’s investigation, carried out with help from security agency 6point6, examined the web and cellular app security of the UK’s 15 largest present account suppliers, measuring standards equivalent to encryption and safety, login, and account administration and navigation.
The banks have been rated on a rating starting from 1-100%, and though none of the organisations surveyed fell into the underside half of that scale, the worst rated banks – Metro Bank, Virgin Money and TSB – scored 53%, 56% and 59%, respectively.
“Banks must lead the battle against fraud, yet our security tests have revealed worrying flaws when it comes to keeping people safe from the threat of having their account compromised,” mentioned Jenny Ross, cash editor at Which?.
“Our research reinforces the need for banks to up their game on tackling fraud by using the latest protections for their websites and not allowing customers to set insecure passwords. We also want banks to stop sending sensitive data to customers via SMS texts as this could leave the door open to fraudsters.”
Among some of the problems uncovered, Which? mentioned Metro Bank had scored lowest for a quantity of causes, together with the retained use of SMS texts to confirm clients once they log in, which might simply put messages in danger of being hijacked by malicious actors, and weaknesses in subdomains of its web site that would enable its servers to be compromised. It additionally mentioned two security headers have been lacking altogether from Metro Bank’s web site – that means a customer’s browser might not operate correctly when utilizing it.
Virgin Money, in the meantime, was hauled up for permitting clients to set passwords that incorporate their first and final names, and for failing to make use of DMARC protections that block or quarantine spoof communications from scammers. TSB additionally misplaced factors because of this, and since its on-line and cellular banking providers used the identical credentials and for its ongoing use of SMS verification at login.
But these weren’t the one banks discovered to be taking a slapdash angle to customer cyber security. Which? additionally highlighted Triodos Bank for permitting clients to make use of unsafe credentials, and Monzo, which was cited for a very insecure cellular app that, amongst different issues, doesn’t ask customers to log in each time they entry it.
Other issues have been discovered at HSBC, NatWest, Santander, Starling Bank and the Co-Operative Bank, which all nonetheless permitted simply guessed passwords that doubtlessly include private information. Meanwhile, Lloyds, Nationwide, Santander and the Co-Operative Bank have been additionally discovered to nonetheless be utilizing SMS verification, First Direct and Lloyds each had insecure web sites, and Nationwide lagged on DMARC.
Which? mentioned the findings have been significantly alarming on condition that circumstances of web banking fraud nearly doubled in the course of the first six months of 2021. However, on the different finish of the size, its testers praised HSBC for having paid shut consideration to cyber security and particularly encryption, scoring nicely throughout all examined classes to attain a complete of 81%. NatWest (together with Royal Bank of Scotland) and Barclays have been the opposite two excessive scorers.
Which? mentioned that though on-line banking is usually secure, cyber criminals are consistently upping their recreation and the banking sector must do extra to maintain tempo with them. It is asking for all these surveyed to do extra to enhance the security of their on-line providers.
Brett Beranek, vice-president and basic supervisor of Nuance’s security and biometrics enterprise, commented: “This newest warning from Which? about password security ought to come as no shock. PINs and passwords are an archaic device, now not match for function. Passwords are being bought on the darkish net, exploited for fraudulent exercise and have even price unlucky people huge sums of cash in phrases of forgotten passwords to safeguard cryptocurrencies.
“With fraud on the rise, it has never been more important for banking leaders to ensure that their customers are provided with a more sophisticated and secure experience. Biometrics authenticates individuals immediately based on their unique characteristics – taking away the need to remember PINs, passwords and other knowledge-based credentials prone to being exploited by fraudsters and providing peace of mind, as well as security, for end-users.”
