UK banks slammed over lack of two-factor authentication

Woman's hand on a smartphone showing a mobile banking app

Major high street banks have failed to provide sufficient security steps to safeguard customers against scams, new research suggests.

A report by Which? released today found that many banks lack "two-factor authentication" at login, where customers are required to provide a memorable answer or password, alongside a single use code from a mobile app or authenticator.

In a test of 11 high street banks, only five provide these improved security steps to protect customer accounts. Halifax, Lloyds Bank, Santander and TSB have all been criticised by the report for providing insufficient protection, despite having the technology to impose two-step verification, according to Which? research conducted in August.

TSB was found to be the worst offender, with a total online protection score of 56%, with only slightly improved security available at Santander.

In response to the findings, TSB said: "Customers are at the very forefront of everything we do, and we take their safety and security very seriously. We continually review and improve our services to ensure they remain robust and fit for purpose."

Hackers need only bypass one level of security to gain access to account details, which scammers will use to contact customers in the guise of a bank employee, potentially gaining further access to savings.

"The best banks in our test manage to use two-factor authentication without it being too onerous for their customers, so there's no excuse for others to sacrifice security," said Alex Neill, managing director of Which? Home & Legal.

"Online banking is increasingly part of our daily lives and at the same time online scams are becoming more sophisticated. People can only do so much to protect themselves from fraud, it's time for banks to shoulder more of the responsibility," added Neill.

Losses due to online bank fraud during 2014-15 reached 133.5 million, an increase of 64%, while fraud in phone banking rose by 28%, to 323.3 million. Which? believes this is largely due to a failure by high street banks to provide adequate protection.

Lloyds said in a statement: "The findings do not provide provide an accurate reflection of the highly sophisticated security our customers benefit from that is undetectable in this research. We don't consider the results accurately reflect these factors which have a material impact on how we protect our customers' daily needs."

A NatWest spokesperson pointed to its "layered security model that incorporates a number of different controls working in the background in addition to the information a customer enters at login".

This year a number of banks made steps to improve security, including Barclays and HSBC, by implementing telephone voice authentication, news that was well received by security specialists campaigning for safer biometric authentication, and a move away from a reliance on passwords.

A Barclays spokesperson said its customers can get free cybersecurity services from Kaspersky, adding: "We have no higher priority than the protection of our customers' funds and data. Customers can be reassured that the digital banking services they use carries the highest level of recognise cyber security protection. We strive to provide our customers with a great digital experience with the highest high level security that doesn't impact the ability to access their funds."

A statement from HSBC read: "HSBC uses a variety of security measures to protect customers when banking online, including password protection and advanced encryption technology, as well as sophisticated anti-fraud monitoring.

"Two factor authentication and a one-time password is required to access high risk transaction types within online banking services, protecting our customers from fraudulent activity. HSBC customers are also provided with anti-virus software."

Santander launched a phone banking voice recognition service in March, but was heavily criticised by Which? for providing an insecure online service.

IT Pro has approached Santander for comment.

Which?'s 'Safeguard us from Scams' campaign has called on the government's Joint Fraud Taskforce to investigate the findings to see if banks are fulfilling their responsibilities to customers.

Contributor

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.