Online banking customers face worrying fraud risks, according to Which? (Photo posed by model / Yui Mok / PA) (Archive PA)

Online banking customers face worrying fraud risks, according to Which?

The consumer group urged vendors to “improve their game” by using the latest protections for their websites and not allowing customers to set insecure passwords.

He conducted a survey with 6point6 security experts, testing the security of online and mobile applications from 15 leading current account providers on a range of criteria, including encryption and protection, connection, management and browsing. accounts.

Six banks – HSBC, NatWest Santander, Starling, the Co-operative Bank and Virgin Money – allow people to choose passwords that include their first and / or last name, the research found.

Santander told who? this is being phased out, while NatWest and Virgin Money have said it may now increase password limitations.

TSB, Lloyds, Metro, Nationwide Santander and the Co-operative Bank have also used texts to verify people when logging in, leaving messages at risk of being hijacked by cybercriminals. noted.

Santander and the Co-operative Bank told Which? they were trying to get away from it.

Our security tests have revealed worrying flaws when it comes to protecting people from the threat of having their account compromised.

Jenny Ross, which one?

Which? also claimed that Nationwide, TSB and Virgin Money do not use software to ensure that fraudulent messages sent by potential scammers are blocked or quarantined by someone’s email provider.

The TSB said to what? it has since introduced this protection. Virgin Money said it was in the process of doing so. Nationwide said it has a “range of email security controls” to protect members.

HSBC scored highest for online banking security, scoring five stars for website encryption and account management. First Direct, a division of HSBC UK, has been ranked # 1 in Mobile Application Security.

Metro Bank was ranked last for online security, while Monzo was ranked last by Which? for the security of mobile applications.

We strongly disagree with this assessment

Monzo spokesperson

Which? said Monzo doesn’t ask people to log in every time, with the bank saying it was a “conscious design decision to strike a balance between risk and customer experience.”

A spokesperson for Monzo said: “We strongly disagree with this assessment. Since every sensitive action or payment requires a customer to provide additional authentication in the form of a PIN or biometric data, the risk associated with staying signed in to the Monzo app is extremely low.

“We take security very seriously and focus on the policies and practices that we believe to be the safest for Monzo customers. “

Metro Bank said, “Like all financial institutions, we must remain vigilant to protect our systems and our security.

“In addition, we work collectively with other banks to protect ourselves against fraud. We take the security of our customers very seriously and have a range of protections in place across all channels to help them defend against fraud.

“In addition to the controls that are visible, we have background controls that support our customer journeys and provide invisible protection. We continually assess and evolve our controls to prevent fraud. “

Which? said the criteria reviewed included encryption and protection, logging in, managing accounts and browsing.

He said every bank and building company has behind-the-scenes security processes and which one can’t? to test them legally.

We employ world-class cybersecurity experts

Lloyds Banking Group

Jenny Ross, which one? Money Editor said, “Banks must lead the battle against fraud, but our security tests have revealed worrying loopholes when it comes to protecting people from the threat of having their accounts compromised.

“Our research reinforces the need for banks to improve their level of fraud prevention by using the latest protections for their websites and by not allowing customers to set insecure passwords. We also want banks to stop sending sensitive data to customers by text message, as this could leave the door open for fraudsters. “

Banks have stressed that security is a top priority.

The TSB said it has several security features that are not factored into the results and highlighted its fraud reimbursement guarantee.

Virgin Money said, “The safety and security of our banking services is our top priority and we continuously monitor, evaluate and improve our security controls. “

Co-operative Bank said it is constantly reviewing controls to keep banking operations secure.

HSBC Group said, “We deploy advanced cybersecurity controls and identify and respond to threats in a timely manner. “

Lloyds Banking Group said, “We have robust, multi-layered security for online and mobile banking to protect us against cybersecurity threats. We employ world-class cybersecurity experts.

Nationwide said, “We use 24 hour defenses to monitor our systems and look for suspicious activity.”

NatWest Group said, “We continue to invest in our digital security capabilities, leveraging market leading technologies – for example, multi-factor authentication and our work on biometrics – to provide simple and secure banking services. to our customers. “

Santander said it continues to “invest a lot to ensure the safety of our customers”.

Starling Bank said it has integrated security technology into its application and systems “to provide customers with an easy-to-use, secure and seamless experience.”