Which? Reveals Santander, Tesco Bank and TSB Have “Concerning” Online Security Vulnerabilities


A new Which? investigation has uncovered gaps in
online banking security systems that could help criminals to scam
customers, reinforcing why banks must do more to protect their
customers and reimbursement of bank transfer scam victims must be
made mandatory.

Which? conducted an investigation with independent security
experts 6point6, scrutinising the
online banking safety measures
in place across the largest
current account providers.

The investigation found that some of the biggest banks, such as
Santander, Tesco Bank and TSB,
have concerning vulnerabilities in security that could leave their
customers exposed to fraud.

While online banking is a largely safe way to manage money and
this is being enhanced by measures such as behavioural biometrics,
where firms analyse the unique way you hold a device, to stop
fraud, Which? is concerned that the issues exposed by
itsinvestigation highlight that banks could do more to prioritise
security above all else.

In some of these instances, there is the potential for scammers
to access information which could be used as the building blocks of
a sophisticated scam – arming a fraudster with enough sensitive
information to pull off convincing cons, such as posing as a bank
employee to persuade a customer to transfer money from their bank
account to a fraudulent one.

Many victims of these scams – which potentially have lax bank
security measures at their heart – then face a double blow as
some banks disregard the obligations to reimburse victims that they
signed up to last year.

Tesco Bank received the poorest rating for online security in
Which?’s testing, with an overall score of just 46%. Researchers
found multiple security headers missing from its webpages. These
are important as they protect against a range of cyberattacks, by
telling your browser how to behave when it communicates with the
website. It also failed to block testers from logging in to the
website from two computer networks at the same time. In addition,
it failed to log out testers when switching to a different website
or using the forward/back button to leave the session and return to

TSB finished second from bottom with a score of 51%. Among the
issues identified in Which? testing, the most serious was the
firm’s login process, which did not meet new regulations on
‘strong customer authentication’ (SCA), introduced in March.
When Which? reported TSB’s non-compliance to the Financial
Conduct Authority (FCA), it was told that it doesn’t comment on
specific firms and would not confirm how many firms have been
granted an effective SCA extension in relation to online

TSB told Which? in November 2020 that it is compliant with the
regulation for all new customers and that SCA is being rolled out
for existing online and mobile customers, but could not say when
this will be completed. The forced upgrade has since been completed
for mobile app users but is still being rolled out for online
banking users.

TSB customers do at least enjoy some peace of mind due to the
bank’s fraud refund guarantee, which ensures the vast majority of
scam victims get their money back.

Santander rounded off the bottom three, with a score of 62%.
Testing found that authentication checks when logging in can be
bypassed if a user designates a device as ‘trusted’. While the
firm said it does ask for reauthorisation if it detects unusual
activity, there’s no option to view or ‘distrust’ these

Several Banks Demonstrated Strong Security

Starling came out on top, with a score of 85%
Experts found nothing concerning with its recently launched online
banking website. This is partly due to limited functionality, as
users can only change sensitive data via the app.

Barclays, HSBC and First
tied for the second spot, with a score of 78%, but
had areas for improvement.

Many of the banks included in Which?’s investigation are
signed up to the industry code on bank transfer scams, which
pledges to reimburse scam victims who are not at fault. However,
the number of victims who get their money returned by banks is
worryingly low, standing at around the 40% mark. Because firms
apply the code inconsistently and are not required to publish their
reimbursement rates, scam victims face a lottery when it comes to
getting their money back.

Which? is calling for the voluntary bank transfer scams code to
be overhauled so that stronger consumer protections and
reimbursement for scam victims become mandatory for all banks and
payment providers. The regulator should also be required to
regularly publish reimbursement rates of individual banks so
consumers can check on their account provider’s performance.

Harry Rose, Editor of Which? Magazine, said:
“Banks must lead the battle against fraud, yet our security tests
have revealed a big gap between the best and worst providers when
it comes to keeping people safe from the threat of having their
account compromised.

“The serious failings we have exposed with some providers
reinforce the need for banks to up their game on scam protections,
and for greater transparency and stronger standards on fraud
reimbursement to be made mandatory for all banks and payment

The post
Which? Reveals Santander, Tesco Bank and TSB Have “Concerning”
Online Security Vulnerabilities
appeared first on The Fintech Times.