Nationwide, Virgin Money and TSB rapped by Which? for leaving website and app ‘doors open’ to scammers
Websites and apps used by customers of some of the UK’s largest banks are missing crucial security protections, potentially leaving “open doors” for scammers, consumer group Which? has claimed.
Which? tested the customer-facing security systems of 13 current account providers from September to November 2022, with help from security experts at Red Maple Technologies.
Account providers were scored on their banking security and app security processes for login, navigation and logout, account management and encryption.
Virgin Money scored the lowest overall for online and app banking , according to the research.
A Virgin Money spokesperson said: “The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls.
“A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts.”
Which? said it also had some concerns over TSB, which received the second lowest score for its app.
A spokesperson for TSB said: “We continue to invest in our online and mobile services – and work with globally leading tech firms to deliver both security and accessibility to our customers. TSB also tracks well across the industry on fraud prevention and we are the only bank that protects its customers with a guarantee to return their money should they ever fall victim to fraud.”
Nationwide Building Society was given the second lowest score for online banking security.
A spokesperson for Nationwide said: “Nationwide takes the security of its members and their money very seriously.
“We are never complacent and conduct regular testing of our systems to ensure that we maintain an appropriate level of protection, whilst ensuring a positive user experience.
“We will take the points raised by Which? on board as we continue to evolve our digital services.”
Meanwhile, Which? said Starling Bank was placed top for online banking security.
Its top scorer for online banking security last year, HSBC UK, also performed well this year. HSBC followed closely behind Starling for online banking, while its app had the highest score.
Which? said the banks included in the research also have behind-the-scenes systems that the consumer group and Red Maple Technologies were not able to test.
The consumer champion said it wanted improvements that block weak passwords and prevent sensitive data being sent via text message.
If the worst happens and people do fall victim to remote banking fraud, in many cases they will be entitled to a refund from their bank.
Sam Richardson, Which? Money deputy editor, said: “Banks should not be leaving these open doors for scammers to exploit and must up their game to protect their customers properly.
“By making improvements, such as blocking weak passwords, banks can take an important step in preventing unscrupulous fraudsters from attempting to steal money and personal data from consumers.”
A UK Finance spokesperson said: “The banking and finance industry is committed to stopping fraud from happening in the first place, investing billions in advanced technology to protect customers.
“Our figures have shown that the number of recorded cases of unauthorised fraud has fallen year on year, with the first half of 2022 showing a fall of 7% to just under 1.4 million, and banks stopping £583.9 million of unauthorised fraudulent transactions.
“The industry continues to work closely with the Government and law enforcement to target the criminal gangs responsible and continue its efforts to prevent fraud to customers.”
Online safety tips
Which? said its research also highlighted the need for banking customers to be vigilant and keep an eye on their bank accounts. Things customers can do to protect themselves include:
1. If you receive unexpected emails, texts, WhatsApp or any other type of messages, do not click on the hyperlinks they contain.
Criminals posing as your bank might try to steal sensitive data or trick you into sending money, going as far as creating fake websites to impersonate banks and other firms.
Do not download attachments or call phone numbers either. If you need to get in touch with your bank, call it on a trusted number, such as the one on your debit card.
2. Use up-to-date security software. This means downloading antivirus software on your computer, phone and any other devices you have.
It is also important to download and install the latest updates for the device itself. Updates contain security patches for new vulnerabilities, so do not use an out-of-date device.
3. Protect your mobile phone. Go into the settings to ensure your phone auto-locks after a short period of inactivity.
While you are in there, disable lock screen notifications, to prevent criminals seeing incoming texts, which could include bank codes for accessing your account.
You can also add a Pin to your Sim card, to prevent it being accessed.
4. Check privacy settings on social media. Remove any personal information such as your email, date of birth and phone number – all of which can be used by criminals to steal your identity or impersonate your bank.
Only accept friend requests from people you know.
5. Replace default passwords on your home router. This will prevent others from accessing it. Also, avoid banking on unsecured wireless networks or public computers.
If you do use a public computer, never leave it unattended and always log out when you have finished.
Press Association – Vicky Shaw