New Which? research finds that major high street banks have failed to adopt two-factor security steps that could safeguard their customers from scams.
As a result of a boom in bank fraud, losses soared by 64% to £133.5m for online banking and 28% to £323.3m for phone banking, some of the major high street banks still failed to introduce security steps to protect the customer.
Two-factor authentication at login combines two different types of ID checks – typically such as a password or Pin, with something you have, such as a card reader or a mobile phone or device on which you get a single-use pass code. Hackers that are able to penetrate the first level of security at login can access sensitive financial details, which they can use to convince consumers they are talking to their bank – a tactic often used by scammers.
In August 2016 volunteers recruited by Which? tested 11 major high street banks. The banks were tested at different stages: logging in via a browser; adding a new payee and transferring money; password complexity requirements; customer facing encryption (how secure the connection is to your bank when you input your details); navigation (for example, stopping you from using the back button to access a previous secure session); and the logout process. The results were analysed by security consultancy SureCloud.
From this research Which? found that only five have adopted the more rigorous security checks to protect their customers. Halifax (and Bank of Scotland), Lloyds Bank, Santander and TSB have consistently scored poorly over the four years Which? has been analysing their security measures, with none offering two-factor authentication at login, despite having the technology to do so.
Alex Neill, Managing Director of Which? Home & Legal, said:
“The best banks in our test manage to use two-factor authentication without it being too onerous for their customers, so there’s no excuse for others to sacrifice security.
“Online banking is increasingly part of our daily lives and at the same time online scams are becoming more sophisticated. People can only do so much to protect themselves from fraud, it’s time for banks to shoulder more of the responsibility and introduce extra protections to safeguard their customers.”
Which? used its super-complaint powers to call on the financial regulator to investigate whether banks could do more to protect people who are tricked into transferring money to a fraudster.