Virgin Money, TSB and Nationwide bank account holders warned over security risk

1111     0
The study was conducted by Which? and the the independent security experts at Red Maple Technologies (Image: Getty Images/iStockphoto)
The study was conducted by Which? and the the independent security experts at Red Maple Technologies (Image: Getty Images/iStockphoto)

Banks are falling short when it comes to banking cyber security and protecting customers from scammers online, according to Which? consumer experts.

The study conducted by Which? and independent security experts at Red Maple Technologies looked at 13 of the biggest banking account providers to assess their online security.

The assessment looked at four key categories - login, encryption, account management, and navigation and logout - to see which banks have the best protections in place.

According to the consumer group's study, out of a possible 100% score, the "bottom-rated" banks included:

Sam Richardson, Which? Money deputy editor, said: "Banks should not be leaving these open doors for scammers to exploit and must up their game to protect their customers properly.

"By making improvements, such as blocking weak passwords, banks can take an important step in preventing unscrupulous fraudsters from attempting to steal money and personal data from consumers."

Red Maple said it found a total of six outdated Virgin Money apps with potential vulnerabilities.

Of particular concern, Red Mapl said Virgin Money does not properly block weak passwords or redact phone numbers on notifications, nor does it impose security checks if an account holder wants to make a payment to somebody new, change an email address, or edit a payee’s details.

However, Virgin Media noted "minor" vulnerabilities on three of the web applications and that these will be corrected, the exposed IP address was "under review" and the outdated TLS would be addressed in early 2023.

A spokesperson for Virgin Money told Which?: "The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls.

"A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts."

TSB was found to have a highly lax and outdated approach to password security, and for exposing a potentially vulnerable subdomain to the public internet. It was also docked points for still using SMS-based security, not alerting users to changes, and including phone numbers in new-payee notifications.

A spokesperson for TSB told Which?: "We continue to invest in our online and mobile services – and work with globally leading tech firms to deliver both security and accessibility to our customers. TSB also tracks well across the industry on fraud prevention and we are the only bank that protects its customers with a guarantee to return their money should they ever fall victim to fraud."

Nationwide was found to have slipped up when it came to notifying customers of changes to details.

Nationwide slashing up to 450 jobs as part of huge business shake-upNationwide slashing up to 450 jobs as part of huge business shake-up

A Nationwide spokesperson said: “Nationwide takes the security of its members and their money very seriously. We are never complacent and conduct regular testing of our systems to ensure that we maintain an appropriate level of protection, whilst ensuring a positive user experience.

"We will take the points raised by Which? on board as we continue to evolve our digital services.”

At the other end of the spectrum, Starling scored well across all categories, and was particularly commended for its joined-up approach to online and app security – it uses its app to authorise online logins and alert customers to suspicious activity.

HSBC also performed consistently well, with few issues found on either its website or app.

Which? called for the retail banking sector to do more to improve cyber defences against increasingly sophisticated scammers, and is urging the industry to make improvements that would see weak passwords blocked and a more mature approach to data sharing.

Full list of results:

Online and app:

Starling: online 82% - app 80%

HSBC: online 80% - app 82%

Natwest: online 77% - app 66%

Lloyds: online 75% - app 62%

First Direct: online 73% - app 71%

Barclays: online 69% - app 80%

Santander: online 69% - app 73%

The Co-operative Bank: online 68% - app 63%

TSB: online 66% - app 57%

Nationwide: online 63% - app 67%

Virgin Money: online 52% - app 54%

App only:

Chase: app 70%

Natwest: app 66%

Monzo: 65%

Ruby Flanagan

Print page

Comments:

comments powered by Disqus