UK Banks Vulnerable To Fraud

New research from Which? shows that UK banks aren’t doing enough to protect their customers from fraud and security hacks.

The survey, conducted with expert security firm 6point6, shows that many banks aren’t up to date with the latest protection technologies for their own websites, and they aren’t putting in place rules that prevent customers from using vulnerable passwords.

Banks Ranked

The research involved looking at the 15 largest providers of current accounts in the UK. Metro Bank scored the lowest on online security, with an overall rating of 53%.

It had some serious issues, including some subdomains of the website that had weaknesses that could allow hackers to get onto their servers and compromise the data. There were also some security headers missing from the website that help protect users from cyberattacks.

Virgin Money didn’t fare much better, with a rating of 56%, while the next to struggle were TSB (59%), Triodos (63%) and First Direct (67%).

HSBC was the best bank for security with a score of 81%, as the only bank to have no faults for website encryption and account management. NatWest was second with 75%, followed by Barclays (73%), Santander (72%) and Starling (72%).

One area that even these top banks struggled with was passwords. HSBC, NatWest, Santander, Starling, The Co-Operative Bank and Virgin Money were all criticised for allowing customers to use passwords that included either their first name or surname.

Santander has already responded to say this is being phased out while NatWest and Virgin Money have commented on the findings to say that they will investigate increasing password limitations.

Triodos in particular was pulled up on its password system, which allows customers to choose basic passwords for their bank account including “admin”, “password” and “1234567”. The bank argues that it has two-step verification with its physical Digipass but Which? believe that the move still leaves users exposed.

Banking Apps Also Reviewed

As part of the study, banks that use a dedicated app were also reviewed. Monzo, one of the leaders of the app-based digital banking movement, scored worst in this area with 46%. The bank was criticised for not asking customers to log in every time they open the app, allowing people who find an unlocked phone to access the app and make payments.

The bank argued that this was a conscious decision that aimed to “strike a balance between risk and customer experience”.

Lloyds, TSB, Santander and Nationwide were flagged for allowing customers to use the same passwords on their online banking sites and mobile banking apps. Which? says that using specific passwords for the app increases security.

Which? has revealed that internet banking fraud rose by 97% in the first half of 2021, and has called on banks to improve their security systems to better protect customers following the findings of this research.