UK banks slammed over lack of two-factor authentication

Which? accuses high street banks of failing to protect customers from fraud

mobile banking

Major high street banks have failed to provide sufficient security steps to safeguard customers against scams, new research suggests.

report by Which? released today found that many banks lack "two-factor authentication" at login, where customers are required to provide a memorable answer or password, alongside a single use code from a mobile app or authenticator.

In a test of 11 high street banks, only five provide these improved security steps to protect customer accounts. Halifax, Lloyds Bank, Santander and TSB have all been criticised by the report for providing insufficient protection, despite having the technology to impose two-step verification, according to Which? research conducted in August.

TSB was found to be the worst offender, with a total online protection score of 56%, with only slightly improved security available at Santander.

Advertisement
Advertisement - Article continues below

In response to the findings, TSB said: "Customers are at the very forefront of everything we do, and we take their safety and security very seriously. We continually review and improve our services to ensure they remain robust and fit for purpose."

Hackers need only bypass one level of security to gain access to account details, which scammers will use to contact customers in the guise of a bank employee, potentially gaining further access to savings.

"The best banks in our test manage to use two-factor authentication without it being too onerous for their customers, so there's no excuse for others to sacrifice security," said Alex Neill, managing director of Which? Home & Legal.

"Online banking is increasingly part of our daily lives and at the same time online scams are becoming more sophisticated. People can only do so much to protect themselves from fraud, it's time for banks to shoulder more of the responsibility," added Neill.

Losses due to online bank fraud during 2014-15 reached 133.5 million, an increase of 64%, while fraud in phone banking rose by 28%, to 323.3 million. Which? believes this is largely due to a failure by high street banks to provide adequate protection.

Lloyds said in a statement: "The findings do not provide provide an accurate reflection of the highly sophisticated security our customers benefit from that is undetectable in this research. We don't consider the results accurately reflect these factors which have a material impact on how we protect our customers' daily needs."

A NatWest spokesperson pointed to its "layered security model that incorporates a number of different controls working in the background in addition to the information a customer enters at login".

This year a number of banks made steps to improve security, including Barclays and HSBC, by implementing telephone voice authentication, news that was well received by security specialists campaigning for safer biometric authentication, and a move away from a reliance on passwords.

A Barclays spokesperson said its customers can get free cybersecurity services from Kaspersky, adding: "We have no higher priority than the protection of our customers' funds and data. Customers can be reassured that the digital banking services they use carries the highest level of recognise cyber security protection. We strive to provide our customers with a great digital experience with the highest high level security that doesn't impact the ability to access their funds."

A statement from HSBC read: "HSBC uses a variety of security measures to protect customers when banking online, including password protection and advanced encryption technology, as well as sophisticated anti-fraud monitoring.

Advertisement
Advertisement - Article continues below

"Two factor authentication and a one-time password is required to access high risk transaction types within online banking services, protecting our customers from fraudulent activity. HSBC customers are also provided with anti-virus software."

Santander launched a phone banking voice recognition service in March, but was heavily criticised by Which? for providing an insecure online service.

IT Pro has approached Santander for comment.

Which?'s 'Safeguard us from Scams' campaign has called on the government's Joint Fraud Taskforce to investigate the findings to see if banks are fulfilling their responsibilities to customers.

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now
Advertisement

Recommended

Visit/security/33048/popular-password-managers-found-to-have-serious-flaws
Security

Popular password managers found to have serious flaws

21 Feb 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/cloud/amazon-web-services-aws/354223/what-to-expect-from-aws-reinvent-2019
Amazon Web Services (AWS)

What to expect from AWS Re:Invent 2019

29 Nov 2019
Visit/business/business-strategy/354252/huawei-takes-the-us-trade-sanctions-into-its-own-hands
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019