Which? discovers wide differences in banks' online security systems

Major banks have big differences in the safeguards used for their online banking systems, research from a consumer group suggests.

Which? found several big providers do not use "two factor" security steps when customers log in, which could help protect them falling victim to scams.

Two factor authentication means that someone needs to pass through two different types of security checks to access their account - typically something they know, such as a password or Pin, combined with something they have, such as a card reader or mobile phone device on which you get a single-use pass code.

Which? said just five out of the 11 providers it tested offered a two factor authentication at login - Barclays, First Direct, HSBC, Nationwide and M&S Bank.

It said Lloyds Banking Group, which includes Lloyds, Halifax and Bank of Scotland, was among those not using two factor security steps at login.

But banks said the research did not paint a true picture of their security controls.

Katy Worobec, director of Financial Fraud Action UK, whose members include banks, said banks have multiple layers of background checks during every online banking session which are not visible to the customer and have not been reflected in the research.

She said: "These advanced systems all ensure a high level of protection for customers."

Lloyds said the findings "do not provide an accurate reflection of the highly sophisticated security our customers benefit from that is undetectable in this research".

"We don't consider the results accurately reflect these factors which have a material impact on how we protect our customers' daily needs."

A statement from TSB said: "We maintain complex and multi-layered fraud prevention controls which will not be visible to the customer - or reflected in this survey."

A Santander spokeswoman said: "Our security model is robust and this is reflected by the low ratio of fraud incidents for Santander compared to the rest of the market based on our market share."

NatWest said it had a "layered security model that incorporates a number of different controls working in the background in addition to the information a customer enters at login."

Which? said all the banks tested in the summer of 2016 were "broadly secure".

Alex Neill, managing director of Which? Home and Legal, said: "The best banks in our test manage to use two factor authentication without it being too onerous for their customers, so there's no excuse for others to sacrifice security.

"Online banking is increasingly part of our daily lives and at the same time online scams are becoming more sophisticated.

"People can only do so much to protect themselves from fraud, it's time for banks to shoulder more of the responsibility and introduce extra protections to safeguard their customers."

Which? said hackers who were able to penetrate the first level of security at login could access people's sensitive financial details, which they could use to convince victims they were talking to their bank - a tactic often used by scammers.

The consumer group had used its super-complaint powers to call on the financial regulator to investigate whether banks could do more to protect people who were tricked into transferring money to a fraudster.

In the latest research, volunteers with current accounts at the 11 banks tested were asked to carry out a series of tasks to look at the levels of security used.

These involved logging in, including looking at whether this involved two factor authentication as well as account management and setting up a new payee, encryption and how safely a customer's information was transmitted, and the navigation process and logging out.

Security experts were asked to rate the safeguards and a total score was given to each provider.

Barclays said it strived to provide customers with a great digital experience with high level security, while HSBC said it used "state-of-the-art technology" to deter and detect financial crime.

Here are the scores given to providers in the Which? test:

1. First Direct, 78%

2. HSBC, 76%

3. Barclays, 75%

=4. M&S Bank, 73%

=4. Nationwide Building Society, 73%

6. NatWest/RBS, 68%

7. Metro Bank, 64%

=8. Halifax/Bank of Scotland, 62%

=8. Lloyds Bank, 62%

10. Santander, 59%

11. TSB, 56%