Millions of HSBC and NatWest customers exposed to an application security flaw


Millions of Britons who use online banking are exposed to some worrisome fraud risks, industry experts warned today.

Following an investigation by security experts 6point6, who tested the security of the online and mobile applications of 15 of the major checking account providers based on a number of criteria including encryption and protection, login, management accounts and navigation, the consumer group Which! warned today.

Six banks – HSBC, NatWest, Santander, Starling, Co-operative Bank and Virgin Money – allow people to choose passwords that include their first and / or last name, the research found.

Santander told which one? this is being phased out, while NatWest and Virgin Money said it could now increase password limitations.

TSB, Lloyds, Metro, Nationwide, Santander and Co-operative Bank also used texts to verify people when logging in, leaving messages at risk of being hijacked by cybercriminals, which ones? saying.

Santander and the Cooperative Bank told Which? they were looking to get away from this.

Which? He also claimed that Nationwide, TSB, and Virgin Money weren’t using software that ensures that fake messages sent by potential scammers are blocked or quarantined by someone’s email provider.

TSB told which one? it has since introduced this protection. Virgin Money said it was in the process of doing this. Nationwide said it has “a range of email security controls” to protect members.

HSBC was most favorable for online banking security, earning five stars for website encryption and account management. First Direct, which is a division of HSBC UK, ranked first for mobile app security.

Metro Bank ranked last for online security, while Monzo was last for Which? for mobile app security.

Which? It said Monzo doesn’t ask people to log in every time, and the bank said this was a “conscious design decision to strike a balance between risk and customer experience.”

A spokesperson for Monzo said: “We strongly disagree with this assessment. Since every confidential action or payment requires the customer to provide additional authentication in the form of a PIN or biometrics, the risk associated with staying connected to the Monzo app is extremely low.

“We take security incredibly seriously and focus on the policies and practices that we consider to be the safest for Monzo customers.”

Metro Bank said: “Like all financial institutions, we must remain vigilant to protect our systems and security. We work collectively with other banks to help protect against fraud. We take the security of our customers very seriously and have a variety of security measures in place across all channels to help defend them against fraud. “

“In addition to controls that are visible, we have background controls that support our customers’ journeys and provide invisible protection. We are continually evaluating and evolving our controls to prevent fraud. “

Which? He said the criteria he looked at included encryption and protection, login, account management and browsing.

He said that every bank and mortgage company has security processes behind the scenes and it is not possible for which one? to prove them legally.

Jenny Ross, which one? Money said: “Banks must lead the battle against fraud, yet our security tests have revealed troubling flaws when it comes to keeping people safe from the threat of their accounts being compromised.

“Banks must up their game to combat fraud by using the latest protections for their websites and not allowing customers to set weak passwords. We also want banks to stop sending sensitive data to customers via text messages, as this could leave the door open for scammers. “

Banks stressed that safety is a top priority.


Please enter your comment!
Please enter your name here