UK banks slammed over lack of two-factor authentication

Which? accuses high street banks of failing to protect customers from fraud

mobile banking

Major high street banks have failed to provide sufficient security steps to safeguard customers against scams, new research suggests.

report by Which? released today found that many banks lack "two-factor authentication" at login, where customers are required to provide a memorable answer or password, alongside a single use code from a mobile app or authenticator.

In a test of 11 high street banks, only five provide these improved security steps to protect customer accounts. Halifax, Lloyds Bank, Santander and TSB have all been criticised by the report for providing insufficient protection, despite having the technology to impose two-step verification, according to Which? research conducted in August.

TSB was found to be the worst offender, with a total online protection score of 56%, with only slightly improved security available at Santander.

Advertisement - Article continues below
Advertisement - Article continues below

In response to the findings, TSB said: "Customers are at the very forefront of everything we do, and we take their safety and security very seriously. We continually review and improve our services to ensure they remain robust and fit for purpose."

Hackers need only bypass one level of security to gain access to account details, which scammers will use to contact customers in the guise of a bank employee, potentially gaining further access to savings.

"The best banks in our test manage to use two-factor authentication without it being too onerous for their customers, so there's no excuse for others to sacrifice security," said Alex Neill, managing director of Which? Home & Legal.

"Online banking is increasingly part of our daily lives and at the same time online scams are becoming more sophisticated. People can only do so much to protect themselves from fraud, it's time for banks to shoulder more of the responsibility," added Neill.

Losses due to online bank fraud during 2014-15 reached 133.5 million, an increase of 64%, while fraud in phone banking rose by 28%, to 323.3 million. Which? believes this is largely due to a failure by high street banks to provide adequate protection.

Lloyds said in a statement: "The findings do not provide provide an accurate reflection of the highly sophisticated security our customers benefit from that is undetectable in this research. We don't consider the results accurately reflect these factors which have a material impact on how we protect our customers' daily needs."

Advertisement - Article continues below

A NatWest spokesperson pointed to its "layered security model that incorporates a number of different controls working in the background in addition to the information a customer enters at login".

This year a number of banks made steps to improve security, including Barclays and HSBC, by implementing telephone voice authentication, news that was well received by security specialists campaigning for safer biometric authentication, and a move away from a reliance on passwords.

A Barclays spokesperson said its customers can get free cybersecurity services from Kaspersky, adding: "We have no higher priority than the protection of our customers' funds and data. Customers can be reassured that the digital banking services they use carries the highest level of recognise cyber security protection. We strive to provide our customers with a great digital experience with the highest high level security that doesn't impact the ability to access their funds."

A statement from HSBC read: "HSBC uses a variety of security measures to protect customers when banking online, including password protection and advanced encryption technology, as well as sophisticated anti-fraud monitoring.

Advertisement - Article continues below

"Two factor authentication and a one-time password is required to access high risk transaction types within online banking services, protecting our customers from fraudulent activity. HSBC customers are also provided with anti-virus software."

Santander launched a phone banking voice recognition service in March, but was heavily criticised by Which? for providing an insecure online service.

Advertisement - Article continues below

IT Pro has approached Santander for comment.

Which?'s 'Safeguard us from Scams' campaign has called on the government's Joint Fraud Taskforce to investigate the findings to see if banks are fulfilling their responsibilities to customers.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now



Popular password managers found to have serious flaws

21 Feb 2019

Most Popular

public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
web browser

Microsoft developer declares it's time to ditch IE for Edge

23 Jan 2020