Which? research has found that basic security flaws on some of the biggest banks’ websites and apps are putting consumers at increased risk of falling victim to fraud.
The research comes after 29,102 cases of remote banking fraud were reported to UK Finance in the first half of 2022. This involves unscrupulous scammers gaining access to consumers’ bank accounts via their internet, telephone or mobile banking and making an unauthorised transfer of money from the account.
Which? tested the customer-facing security systems of 13 current account providers from September to November 2022, with help from Red Maple Technologies. The banks were scored across four key categories – login, navigation and logout, account management and encryption – for both their online banking security and app security.
Among other issues, banks were marked down for not adequately blocking weak passwords, sending one-time passcodes or other sensitive information via text messages, which is the least secure approach and failing to log customers out after five minutes of inactivity.
They also lost points for allowing access to accounts from multiple web browsers or IP addresses at the same time, without flagging this as a potential cyberattack and for sending customers notifications that include a phone number or web link. The latter can be a gift to scammers who often replicate texts and emails to trick people into calling them or entering their details on a fake website.
Virgin Money got the lowest total scores for online (52%) and app (54%) banking. Virgin Money’s poorest scores for online banking were in the navigation and logout and account management categories – it got two stars out of five for both. It also scored just two stars for the encryption on its app.
Red Maple Technologies found six outdated Virgin Money web applications which had potential vulnerabilities. The bank noted minor vulnerabilities on three and said these will be corrected. Virgin Money did not adequately block insecure passwords and remove phone numbers from notifications. Worryingly, there were no security checks to pay someone new, change an email address or edit the details of a payee. Which? also found issues with website session management, though the bank said it plans to improve this in early 2023.
Which? had several concerns when it came to TSB, which scored 57% for its app, the second lowest, but got a slightly higher score of 66% for its online offering. It still asks basic security questions such as ‘name your favourite food’ to recover login details. It also failed to block insecure passwords and only requires six characters – banks should encourage much longer passwords. Red Maple Technologies found a potentially vulnerable subdomain, which TSB said will be removed in 2023 and two outdated web applications.
Frederik Mennes, Director Product Management & Business Strategy, OneSpan
In this digital-first world, banks and financial institutions must balance top-level security with seamless user experience. In the Financial Services (FS) sector, where security and data privacy are crucial, Multi-Factor Authentication (MFA) is often required to access sensitive information or conduct transactions. MFA requires users to provide multiple forms of identification to access their accounts or data.
While MFA is an essential security measure to protect against unauthorised access and data breaches, it can also have an impact on the customer experience. MFA that hasn’t been built with customer experience at the core can lead to not being user-friendly, lowering customer satisfaction. However, when implemented correctly, it can increase user confidence in the security of their data and accounts. This can lead to higher levels of trust and loyalty, ultimately improving customer experience. Overall, MFA can help users get an added sense of control and security over their personal information.
To balance the need for security with a positive customer experience, organisations should carefully consider the implementation of MFA. The FS sector should look for ways to make the MFA process as easy and user-friendly as possible, such as offering multiple authentication methods through SMS, biometrics or by using continuous authentication.
The benefit of continuous authentication
Continuous authentication is an approach that aims to address the issue of MFA fatigue by providing a more seamless and user-friendly authentication experience. Continuous authentication is not an authentication factor, like a new one-time token or authentication application. Rather than requiring users to authenticate themselves repeatedly throughout a session, continuous authentication uses behavioural and biometric data to verify a user’s identity continuously in the background. It provides multi-layered security measures that can adapt to the unique characteristics and risk level of each transaction. This means that the authentication process becomes more secure and dynamic, as it can detect and respond to changing patterns of behaviour and suspicious activity in real-time.
Continuous authentication – or adaptive authentication – can take various forms, such as biometric authentication, keystroke dynamics and behavioural analytics. These methods use unique identifiers such as voice patterns, fingerprints and other biometric data, as well as behavioural patterns such as typing speed, mouse movements and navigation behaviour to continuously authentication can provide a more secure and user-friendly experience that helps reduce the burden of MFA fatigue in the FS sector.
By utilising continuous authentication, Financial Services can better protect their customers’ sensitive information and assets and ensure the security of their financial transactions. It distinguishes itself from standalone authentication tools by employing specialised authentication methods based on real-time risk analysis. By leveraging risk analytics driven by Machine Learning and Artificial Intelligence – financial institutions can simplify the end-user experience, reduce fraud and achieve regulatory compliance. Overall, continuous authentication is a promising approach to addressing the challenge of MFA fatigue in the FS sector. Providing a more seamless and secure authentication experience can help improve user satisfaction and reduce errors or security breaches.
Luke Armstrong, Enterprise Consultant at Exponential-e
The demand for ‘next-gen networks’ is on the rise. These networks – which are most commonly built in the cloud – have exploded in popularity in recent years, as businesses have come to realise that digitally transforming network infrastructure is imperative to maintaining business growth.
The Financial Services (FS) sector in particular serves as a perfect example, despite having been more averse to Digital Transformation efforts in years gone by.
It’s well known that the FS industry has historically had a reputation for holding back on adopting newer technologies. There are always reasons to forgive such behaviour of course, and many have held concerns when it comes to data security and the risks involved in modernising.
However, the rise of hybrid working and warnings from the Bank of England around the risks of ‘cloud concentration’ have forced the industry to move past these fears and face network security head-on. If financial firms and banks are to succeed in this hyper-competitive digital age, they must invest in a safety framework that delivers security and reliability, while keeping attackers at bay. These ingredients are critical, not just for securing data and systems, but for increasing customer loyalty through reliable systems.
The cloud is becoming the most important technology tool to secure, as traditional firms migrate data and applications en-masse to private and public cloud environments to better compete with today’s digitally native fintech challengers. It’s a trend that will only continue too. But the FS sector will need to ensure it respects the rules and makes secure networks its number one priority.
Secure Access Service Edge (SASE) is an additional security layer that many financial services businesses should consider for their cloud infrastructure as they become increasingly reliant on it to support remote workforces. SASE brings together security and networking, delivered via a cloud-based service model. It provides secure access to apps and data, as remote users increasingly require access to cloud-based, business-critical applications from anywhere in the world, usually via a SaaS model. While not necessarily new, it is becoming widely used as an essential defence for banks.
While the technology is not necessarily new, it is becoming more widely used, especially in the remote working age as it combines high-performance connectivity with a robust, centralised cybersecurity posture, providing control and visibility of the entire cloud infrastructure.
SASE is powerful because it incorporates the key features of multiple security services via Software-Defined Networking (SD-WAN), including DNS security and firewall policies. It integrates all of this with Zero Trust network security principles to create a single service that is delivered across every aspect of an organisation’s cloud infrastructure.