Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner. Facebook Messenger An icon of the facebook messenger app logo. Facebook An icon of a facebook f logo. Facebook Messenger An icon of the Twitter app logo. LinkedIn An icon of the LinkedIn logo. WhatsApp Messenger An icon of the Whatsapp messenger app logo. Email An icon of an mail envelope. Copy link A decentered black square over a white square.

Which? urges banks to address online security ‘loopholes’

Which? said some banks need to address potential ‘loopholes’ in their online security arrangements (Yui Mok/PA)
Which? said some banks need to address potential ‘loopholes’ in their online security arrangements (Yui Mok/PA)

Some banks need to urgently address potential loopholes in their online security arrangements which could leave people vulnerable to scammers, according to Which?.

The consumer group assessed the apps and websites of 13 current account providers in January and February 2024, with help from computer security experts.

Researchers for the consumer group tested banking website and app security for login procedures, security “best practice”, account management and navigation and logout. They were not able to test banks’ back-end security systems.

While all firms in the study use multi-layered security that helps reduce the likelihood of major security breaches, Which? said it believes that some providers that finished towards the bottom of its rankings fell short of the standards customers should expect.

TSB was scored 54% by Which? for its mobile app security and 67% for its online security – the lowest and second-lowest scores respectively.

A TSB sign
TSB said it continues to strengthen the security of its internet and mobile banking (Gareth Fuller/PA)

Which? said the bank’s handling of sensitive data meant that it could be read by other apps running on the phone. The consumer group raised concerns that the app stores users’ credentials in a way which may make it more likely that other apps could access them.

TSB told Which? that the matter was under review and a fix will be “considered in the future”.

The bank also sent a phone number in an text alert that Which? said could be replicated by scammers.

TSB told Which?: “We have removed phone numbers from the vast majority of SMS alerts with this alert being the final in plan for updating to remove the phone number.”

The consumer group also raised concerns about TSB’s password requirements, saying users may choose insecure passwords which could be easier for scammers to crack.

TSB said: “We continue to strengthen the security of our internet and mobile banking while delivering a positive and convenient user experience for customers. That’s reflected in our high app store ratings.”

Which? ranked the Co-operative Bank bottom in its study for online security, with a score of 61%.

Regarding security on its mobile app, the Co-operative Bank came second to last, with a score of 57%.

Which? said the bank failed to require a two factor authentication login on a test laptop and did not block customers from setting weak passwords.

Researchers could log in from two different IP addresses at the same time without the older session being terminated and, like TSB, there were still phone numbers in alerts and security codes sent via text.

The Co-operative Bank said: “The security of our customers’ accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money.

“We are constantly reviewing and enhancing our security controls and we will be delivering a number of further improvements in 2024 to give our customers peace of mind that they can continue to bank safely and securely with us.”

Which? said it is calling for TSB and the Co-operative Bank to urgently address the issues that its researchers found.

Meanwhile, Lloyds did not log out website users after five minutes of inactivity. The bank told Which? that this makes transactions easier for vulnerable customers.

A Lloyds Banking Group spokesperson said: “Helping to keep our customers’ money and data safe is our priority and we have robust, multi-layer security across our online and mobile banking services to protect against potential cyber security threats.

“We employ world-class experts in the cyber-security field and continually invest to deliver the right balance of online security measures, customer experience and accessibility.

“Whilst written in the Payment Systems Regulator’s regulation for secure customer authentication, Lloyds Banking Group has made the regulators aware that we would not enforce this on payments and logon given the considerations for vulnerable customers and businesses that may need longer than that period to complete the transaction.

“Logons from new devices are verified through secondary verification to customers’ registered phone to establish the trust for any devices used. Given this, there are no customer untrusted devices.”

Starling Bank and NatWest/RBS were ranked top by Which? for online security, with both scoring 87%.

The top-ranked bank for mobile app security was HSBC, with a score of 78%.

HSBC posted solid scores for both its app and website, and researchers found no issues with logout or navigation, Which? said.

Barclays was ranked second in the mobile app rankings, with a score of 74%, but Which? found it had not fixed website management issues it identified last year, such as letting users access accounts from multiple browsers, IP addresses or devices at the same time.

The bank told Which? it uses other controls to assess the risk profile of devices accessing online banking and is planning to add this additional layer of protection later this year.

Sam Richardson, deputy editor of Which? Money, said: “With many people increasingly banking online or on their phones, it’s crucial that the banks we trust with our money have security protections that are up to scratch.

“While our investigation found no major security issues, there were some areas of concern that we think the banks in question need to urgently address, so that sophisticated scammers can’t use loopholes to target innocent victims.

“With fraudsters still relentless in their pursuit of our money and a general election looming, the next government must make fighting fraud a national priority, with a fraud minister installed to work across multiple government departments.”

A spokesperson for industry body UK Finance said: “Fraud has a devastating impact on victims, so the banking and finance industry’s primary focus is always on stopping fraud from happening in the first place. To do so, the industry invests heavily in cyber security and data sharing, seeking to detect and prevent malicious actors from infiltrating systems, stealing data, and committing fraud.

“As the fraud landscape evolves, banks update and reinforce security measures on their platforms to mitigate potential threats, whilst maintaining a positive user experience for customers.

“We encourage customers to be alert to potential threats of fraud and always use secure passwords, avoid sharing one-time passcodes and personal and financial information. If you think you’ve fallen for a scam it’s important to contact your bank immediately, and report it to Action Fraud.”