UK banks slammed over lack of two-factor authentication

Which? accuses high street banks of failing to protect customers from fraud

Woman's hand on a smartphone showing a mobile banking app

Major high street banks have failed to provide sufficient security steps to safeguard customers against scams, new research suggests.

report by Which? released today found that many banks lack "two-factor authentication" at login, where customers are required to provide a memorable answer or password, alongside a single use code from a mobile app or authenticator.

In a test of 11 high street banks, only five provide these improved security steps to protect customer accounts. Halifax, Lloyds Bank, Santander and TSB have all been criticised by the report for providing insufficient protection, despite having the technology to impose two-step verification, according to Which? research conducted in August.

TSB was found to be the worst offender, with a total online protection score of 56%, with only slightly improved security available at Santander.

In response to the findings, TSB said: "Customers are at the very forefront of everything we do, and we take their safety and security very seriously. We continually review and improve our services to ensure they remain robust and fit for purpose."

Hackers need only bypass one level of security to gain access to account details, which scammers will use to contact customers in the guise of a bank employee, potentially gaining further access to savings.

"The best banks in our test manage to use two-factor authentication without it being too onerous for their customers, so there's no excuse for others to sacrifice security," said Alex Neill, managing director of Which? Home & Legal.

"Online banking is increasingly part of our daily lives and at the same time online scams are becoming more sophisticated. People can only do so much to protect themselves from fraud, it's time for banks to shoulder more of the responsibility," added Neill.

Losses due to online bank fraud during 2014-15 reached 133.5 million, an increase of 64%, while fraud in phone banking rose by 28%, to 323.3 million. Which? believes this is largely due to a failure by high street banks to provide adequate protection.

Lloyds said in a statement: "The findings do not provide provide an accurate reflection of the highly sophisticated security our customers benefit from that is undetectable in this research. We don't consider the results accurately reflect these factors which have a material impact on how we protect our customers' daily needs."

A NatWest spokesperson pointed to its "layered security model that incorporates a number of different controls working in the background in addition to the information a customer enters at login".

This year a number of banks made steps to improve security, including Barclays and HSBC, by implementing telephone voice authentication, news that was well received by security specialists campaigning for safer biometric authentication, and a move away from a reliance on passwords.

A Barclays spokesperson said its customers can get free cybersecurity services from Kaspersky, adding: "We have no higher priority than the protection of our customers' funds and data. Customers can be reassured that the digital banking services they use carries the highest level of recognise cyber security protection. We strive to provide our customers with a great digital experience with the highest high level security that doesn't impact the ability to access their funds."

A statement from HSBC read: "HSBC uses a variety of security measures to protect customers when banking online, including password protection and advanced encryption technology, as well as sophisticated anti-fraud monitoring.

"Two factor authentication and a one-time password is required to access high risk transaction types within online banking services, protecting our customers from fraudulent activity. HSBC customers are also provided with anti-virus software."

Santander launched a phone banking voice recognition service in March, but was heavily criticised by Which? for providing an insecure online service.

IT Pro has approached Santander for comment.

Which?'s 'Safeguard us from Scams' campaign has called on the government's Joint Fraud Taskforce to investigate the findings to see if banks are fulfilling their responsibilities to customers.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download


Telegram bots are out to steal your one-time passwords

Telegram bots are out to steal your one-time passwords

30 Sep 2021
What makes a password secure?

What makes a password secure?

28 Sep 2021
Robust password policies cut cyber attacks by 60%
cyber security

Robust password policies cut cyber attacks by 60%

13 Sep 2021
1Password Business review: First choice for business travel and guest accounts

1Password Business review: First choice for business travel and guest accounts

16 Jul 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021