UK banks slammed over lack of two-factor authentication

Which? accuses high street banks of failing to protect customers from fraud

mobile banking

Major high street banks have failed to provide sufficient security steps to safeguard customers against scams, new research suggests.

report by Which? released today found that many banks lack "two-factor authentication" at login, where customers are required to provide a memorable answer or password, alongside a single use code from a mobile app or authenticator.

Advertisement - Article continues below

In a test of 11 high street banks, only five provide these improved security steps to protect customer accounts. Halifax, Lloyds Bank, Santander and TSB have all been criticised by the report for providing insufficient protection, despite having the technology to impose two-step verification, according to Which? research conducted in August.

TSB was found to be the worst offender, with a total online protection score of 56%, with only slightly improved security available at Santander.

In response to the findings, TSB said: "Customers are at the very forefront of everything we do, and we take their safety and security very seriously. We continually review and improve our services to ensure they remain robust and fit for purpose."

Hackers need only bypass one level of security to gain access to account details, which scammers will use to contact customers in the guise of a bank employee, potentially gaining further access to savings.

Advertisement - Article continues below
Advertisement - Article continues below

"The best banks in our test manage to use two-factor authentication without it being too onerous for their customers, so there's no excuse for others to sacrifice security," said Alex Neill, managing director of Which? Home & Legal.

"Online banking is increasingly part of our daily lives and at the same time online scams are becoming more sophisticated. People can only do so much to protect themselves from fraud, it's time for banks to shoulder more of the responsibility," added Neill.

Losses due to online bank fraud during 2014-15 reached 133.5 million, an increase of 64%, while fraud in phone banking rose by 28%, to 323.3 million. Which? believes this is largely due to a failure by high street banks to provide adequate protection.

Lloyds said in a statement: "The findings do not provide provide an accurate reflection of the highly sophisticated security our customers benefit from that is undetectable in this research. We don't consider the results accurately reflect these factors which have a material impact on how we protect our customers' daily needs."

Advertisement - Article continues below

A NatWest spokesperson pointed to its "layered security model that incorporates a number of different controls working in the background in addition to the information a customer enters at login".

This year a number of banks made steps to improve security, including Barclays and HSBC, by implementing telephone voice authentication, news that was well received by security specialists campaigning for safer biometric authentication, and a move away from a reliance on passwords.

A Barclays spokesperson said its customers can get free cybersecurity services from Kaspersky, adding: "We have no higher priority than the protection of our customers' funds and data. Customers can be reassured that the digital banking services they use carries the highest level of recognise cyber security protection. We strive to provide our customers with a great digital experience with the highest high level security that doesn't impact the ability to access their funds."

A statement from HSBC read: "HSBC uses a variety of security measures to protect customers when banking online, including password protection and advanced encryption technology, as well as sophisticated anti-fraud monitoring.

Advertisement - Article continues below

"Two factor authentication and a one-time password is required to access high risk transaction types within online banking services, protecting our customers from fraudulent activity. HSBC customers are also provided with anti-virus software."

Santander launched a phone banking voice recognition service in March, but was heavily criticised by Which? for providing an insecure online service.

IT Pro has approached Santander for comment.

Which?'s 'Safeguard us from Scams' campaign has called on the government's Joint Fraud Taskforce to investigate the findings to see if banks are fulfilling their responsibilities to customers.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most malware came through HTTPS connections in Q1 2020

25 Jun 2020

Phishing attacks target unsuspecting Wells Fargo customers

24 Jun 2020

Trump administration wants to enhance the security of .gov sites

24 Jun 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020