Table of Contents
- Banks take a fragmented approach to customer security. Which? studies show
- TSB ranked lowest in mobile app security and second lowest in online security
- Starling and NatWest are best in online security and HSBC in mobile applications
Customers who bank with TSB and Co-op are more at risk of online and mobile banking scams, research shows.
Weaknesses in some banks’ security measures for mobile and online banking could leave customers more exposed to scammers, new data on which? reveals.
TSB ranked lowest for mobile app security and second for banks’ online security. Which? investigated.
Thirteen major banks were tested for their login procedures, security, account management and navigation, and automatic logout and then ranked.
TSB was the only bank to earn two stars out of five for online account management and two stars for security best practices for its app.
Well protected: Which one? has investigated how safe banks protect customers from fraud
The biggest problem: What? What you find with the TSB app is that other apps running on the phone can read sensitive data.
The app was also found to store user credentials insecurely, making it more likely that other apps could access them.
Another problem is that TSB specifically asks users to “trust” a device, but does not offer a way to “untrust” it afterwards.
The bank also sent a phone number in an SMS alert, which could be replicated by scammers.
TSB’s password requirements are just six characters, meaning users can still choose a variety of insecure passwords that are easier for scammers to crack.
Despite ranking poorly in mobile apps and online security, TSB is currently the only bank to offer a Fraud Refund Guarantee, which fully refunds customers who have been victims of fraud.
TSB said: ‘We continue to strengthen the security of our mobile and internet banking while delivering a positive and convenient user experience for customers. This is reflected in our high ratings in the app store.”
Cooperative bank
The cooperative ranked worst for online security, receiving three stars for both account management and browsing.
When it comes to security in its mobile app, Co-op came in second to last with a score of 57 percent.
It was the only bank that did not require a two-factor authentication login on a test laptop. The bank also does not prevent customers from setting weak passwords.
Like TSB, Co-op also sent phone numbers in alerts and security codes.
A Co-op Bank spokesperson said: ‘The security of our customers’ accounts is always our top priority. Customers can rest assured that we have strong security measures in place to protect them and their money.
“We are constantly reviewing and improving our security controls and will deliver a number of further enhancements in 2024 to give our customers peace of mind that they can continue to bank securely with us.”
Lloyds Bank
Lloyds was the only bank not to log users off the website after five minutes of inactivity, despite it being a regulatory requirement.
A Lloyds spokesperson said: “Helping to keep our customers’ money and data safe is our priority and we have robust, multi-layered security across all our mobile and online banking services to protect against potential cyber security threats.” . We employ world-class experts in the field of cybersecurity and continually invest to deliver the right balance between online security measures, customer experience and accessibility.
‘While it is written into the Payment Systems Regulator’s regulation for Secure Customer Authentication, Lloyds Banking Group has advised regulators that we would not apply this to payments and logins given the considerations for vulnerable customers and businesses who may need longer than that period to complete the transaction.
‘Logins from new devices are verified through secondary verification on customers’ registered phones to establish trust on any device used. With this in mind, there are no devices that customers don’t trust.”
Online | Mobile apps |
---|---|
1. NatWest and RBS | 1. HSBC |
2. Starling | 2. Barclays |
3. HSBC | 3. Santander |
4. Barclays | 4. chase |
5. First live | 5. Starling |
6. At the national level | 6. NatWest and RBS |
7. Lloyd’s | 7. First live |
8. Virgin money | 8. At the national level |
9. Santander | 9. Virgin money |
10.TSB | 10. Lloyd’s |
11. Cooperative | 11. Monzó |
12. Cooperative | |
13.TSB | |
Source: Which one? |
Starling, NatWest and RBS earned top marks for online safety. These banks earned four stars for online login security and five stars for security, account management and navigation best practices.
The best bank for mobile app security was HSBC, with an overall score of 78 percent. HSBC does not rely on SMS to log in and had no issues with logout or navigation when tested.
Barclays took second place in the mobile application ranking.
A UK Finance spokesperson said: ‘Fraud has a devastating impact on victims, which is why the main objective of the banking and finance sector is always to prevent fraud from occurring in the first place. To this end, the industry invests heavily in cybersecurity and data sharing, seeking to detect and prevent malicious actors from infiltrating systems, stealing data and committing fraud.
“As the fraud landscape evolves, banks are updating and strengthening security measures on their platforms to mitigate potential threats while maintaining a positive user experience for customers.”