Which? is calling on banks to up their game on security, after finding multiple issues which could expose the accounts of online banking customers.
The consumer rights group tested the websites and mobile apps of 13 leading current account providers, appraising them in four categories: security best practice; login; account management; and navigation and logout.
TSB and the Co-operative Bank were singled out for criticism, with the banks placed in the bottom two for both mobile app and online security.
The TSB app was given the lowest score overall (54%). Which? claimed that it stores users’ credentials insecurely, making it more likely that other apps could access them.
The high street lender apparently told Which? only that the issue was under review and that a fix will be “considered in the future.”
Read more on banking security: Report Identifies Weaknesses in Online Banking Security
The Co-operative Bank was the lowest-ranked bank for mobile app security (61%). Which? claimed it was the only app that failed to require a two-factor authentication (2FA) login on a test laptop that the research team had never used before. However, the app is compliant, as it uses device profiling and behavioral data as a backup if user activity seems suspicious.
However, the bank also fails to block users from setting very weak passwords, and returns different error messages depending on whether the username is valid or not. Which? said this means a threat actor could use trial and error to amass a list of valid usernames, and then try popular weak passwords with them to unlock accounts.
“We are constantly reviewing and enhancing our security controls and we will be delivering a number of further improvements in 2024 to give our customers peace of mind that they can continue to bank safely and securely with us,” the bank said in response.
Elsewhere, Lloyds Bank fails to log out website users after five minutes of inactivity – a feature it said is designed to help vulnerable customers.
NatWest and Starling tied in first place for online banking (87%), with both attaining four stars for login and the maximum five stars for all other categories. The highest scorers for mobile banking were HSBC (78%) and Barclays (74%).