Online banks servicing UK's SMBs found to have 'serious' security flaws

Some of the largest online banks in the UK have been found to have "worrying" security vulnerabilities in their products, leaving the UK businesses they service, and their customers, at risk of cyber attacks.

TSB and Virgin Money, both of which offer business current accounts for SMBs across the country, were found to have serious security issues that could put customers at risk, researchers said.

Researchers at Red Maple Technologies, working on behalf of Which?, raised “several concerns” over TSB security practices in particular, revealing that the bank still asks “basic security questions” to recover login details.

In addition, Red Maple said it found a potentially vulnerable subdomain and two outdated web applications. which could place customers at risk. However, the bank confirmed that the vulnerable subdomain will be removed.

“[TSB] also lost points for using SMS-based security, not sending alerts when sensitive account changes were made and including phone numbers in new-payee notifications,” researchers said.

A spokesperson for TSB told the consumer group that it is continuing to invest in online and mobile banking services and work with “globally-leading tech firms to deliver both security and accessibility” to customers.

“TSB also tracks well across the industry on fraud prevention,” the spokesperson added.

The researchers examined the cyber defences of 13 current account providers to rate their online and mobile banking security.

Virgin Money received the lowest score for online and app banking, according to Red Maple's analysis.

The security firm found six outdated web applications, an exposed IP address, and a subdomain using an outdated version of TLS.

Of the six outdated web apps, three contained minor security vulnerabilities, researchers revealed.

Small business security concerns

Red Maple’s research on banking security comes amidst a period rife with escalating security risks for small businesses across the UK.

Research from Close Brothers last year found that around half of UK-based SMBs have suffered a cyber attack, with 54% suffering a financial loss.

Ransomware attacks were highlighted as the most common attack method among SMBs, followed by phishing attacks.

Among those that suffered a cyber attack, the study found that two-thirds have been subjected to increased incidents in the weeks and months following.

Jasson Casey, CTO at Beyond Identity, said the research from Red Maple is concerning, and highlights vulnerabilities which are frequently targeted by threat actors.

“It’s worrying to see this latest report from Which? which has marked banks down on multiple security measures, including failing to block weak passwords, sending one-time passcodes and sensitive data via SMS,” he said.

“It’s about time these organisations woke up and fixed their major vulnerabilities. Threat actors are constantly taking advantage of outdated security measures that make it easy, and inexpensive to breach systems.”

More broadly, the financial services sector has also been subjected to growing threats in recent years. Recent research from Imperva found that the volume of cyber threats directed towards the financial services and insurance industry (FSI) has grown rapidly over the course of 2022.

Imperva’s research found that across 2022, more than a quarter of all cyber attacks (28%) hit FSI businesses, double that of the next most-targeted sector.

Top-rated banks for security

Red Maple research noted that a number of leading UK banks boast robust security measures and safety for users.

Starling, which provides one of the UK’s most popular business current accounts, was ranked top for security.

The rapidly-growing challenger bank was followed closely by HSBC, NatWest, and Lloyds – all of which had strong security measures to protect customers.