Consumer body Which? Has rated 11 UK banks based on the security of their online banking.
Which? Asked volunteers with current accounts at 11 high street banks to perform a series of tasks, with security experts then rating the customer-facing safeguards. In what may come as a shock to many a security expert, only five of the UK banks rated had two-factor authentication at login. Those banks were Lloyds Banking Group (Lloyds, Halifax, Bank of Scotland), Santander and TSB.
CBR takes a look at the rankings, with expert commentary on the failings exposed by the scores.
The Worst
TSB only received the lowest ranking of 56%, ranking the worst for logging in. The log in of banks was rated on whether two-factor authentication was involved, as well as the other information required to log in and password complexity. Which? also looked at the process required for resetting a forgotten username or password.
Gabriel Wilson from Rivington Information Security said:“The scarcity of two factor authentication in the banking industry is down to weak guidance and lack of regulatory requirements. It’s also less expensive for banks to reimburse victims of online fraud, who have had their accounts compromised, than it is to implement two factor authentication. When these factors are combined with the sheer volume of existing regulations already in place, many not mandated, the focus of investment is not being used to adopt security best practices.
“However, two factor authentication is only part of the solution. Whilst it will reduce unauthorised access to customer accounts, it will not stop customers falling for scams. This remains a crucial issue, due to a lack of education and awareness of scam types and the temptation of financial reward.”
The Best
First Direct came out on top in the Which? Ranking, scoring 78%. The bank received the best score for navigation and log out, which was an evaluation of the logout process. Which? Looked at whether the site prevents you from using the ‘back’ button to access a previous secure session and whether it allows for two sessions to be open simultaneously on two different browsers or devices.
Steve Mullan, UK Operations Manager, Ilex International, said: “Even with the current lack of regulation governing security standards in the UK banking industry, there is light at the end of the tunnel. A growing number of organisations are making the bold move to implement multi-factor authentication as part of their ongoing identity and access management strategy. They see this as a means of creating a trusted working environment between themselves and their customers or employees. This demonstrates how much they value their customers security and are taking active steps to prove it.
“In addition, this is a savvy business initiative as it will allow banks to grant customers access to a larger resource of internal applications and online banking services. A more secure platform will help banks to expand their reach and uptake of new services that might not have been utilised by their customers before multi-factor authentication.”
The Rest of the Worst
Lloyds Banking Group, Metro Bank and Santander all featured in the bottom half of the rankings. All scored low on login, navigation and logout, though all of the banks did get full marks when it came to encryption and account management. For account management, Which? Rated how the banks set up new payees and the process of transferring money, as well as changing pass word and address.
Nick Brown, managing director at global identity data intelligence specialists GBG, said: “The internet and online banking has only made fraud easier – and you cannot deny bank fraud is a booming business. Individual’s identity details are so much more accessible online than in paper records. However, the benefits of online banking: speed, ease and accessibility of services globally mean that it’s difficult to avoid the need for an online identity. The real art in all this is to ensure that a customer’s relevant identity characteristics can be captured, verified and approved when you need it, and that fraudulent access is identified quickly and effectively.
Identity data intelligence, then, has a huge role to play in not only uncovering incidences of fraud, but also preventing fraud from occurring in the first place. By using more data, analytical insights and triangulation of multiple identity proofing techniques to authenticate a user and prove they are who they say they are, banks can minimise the impact of fraudulent activity for both the customer and the business itself. In short, banks need to realise the full impact the trusted use of identity data has in helping fight fraud.”
The Rest of the Best
HSBC, Barclays, M&S Bank and Nationwide all followed the leader, First Direct. Solid login, encryption, account management and navigation all led to high scores.
Alex Neill, managing director of Which? Home & Legal, said: ‘The best banks in our test manage to use two-factor authentication without it being too onerous for their customers, so there’s no excuse for others to sacrifice security. ‘Online banking is increasingly part of our daily lives and at the same time online scams are becoming more sophisticated. People can only do so much to protect themselves from fraud, it’s time for banks to shoulder more of the responsibility and introduce extra protections to safeguard their customers.’ Which? used its super-complaint powers to call on the financial regulator to investigate whether banks could do more to protect people who are tricked into transferring money to a fraudster.
