Serious weaknesses in online banking security systems have been uncovered, according to a Which? investigation.
The consumer group worked with security experts 6point6 to scrutinise online banking safety measures.
Which? said that while online banking is largely a safe way to manage money, it had found that some of the biggest banks such as Santander, Tesco Bank and TSB, have concerning vulnerabilities in security.
Tesco Bank received the poorest rating in the Which? testing. The consumer group said, among other issues, it failed to block testers from logging in to the website from two computer networks at the same time and did not log out testers when switching to a different website.
Tesco Bank told Which?: “The security of our customers’ accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money.
“Not all of these controls are obvious or visible to customers, but each of them serves to protect customers and all are in line with industry standards. We use the latest technology to protect and manage the security of online banking and our mobile banking app and all our controls are constantly reviewed to ensure they remain fit for purpose, giving customers peace of mind they can bank safely and securely with us.”
TSB finished second from bottom in the test and Which? said it had found issues with the firm’s login process.
Which? said the process did not meet new “strong customer authentication” (SCA) regulations introduced in March.
A statement from TSB said: “TSB customers who use their mobile app already have SCA and we’re continuing to roll it out for those who use internet banking.”
TSB has its own fraud refund guarantee, which reimburses innocent victims of fraud.
Santander rounded off the bottom three, and Which? said it had found that authentication checks when logging in can be bypassed in some cases.
Santander told Which?: “Santander takes online security very seriously and we invest a great deal in cyber security and fraud prevention and ensuring we protect our customers’ money and data safely and effectively.
“The Which? review only focuses on the customer-facing elements of security and it is important to understand that there are many other ‘back end’ measures that we employ to ensure we keep our customers safe whilst offering optimum customer experience.”
Starling Bank came out top in the testing, and Which? said experts found nothing concerning with its recently launched online banking website.
Barclays, HSBC and First Direct tied for second spot, but had areas where improvement is needed, Which? said.
Harry Rose, editor of Which? magazine, said: “The serious failings we have exposed with some providers reinforce the need for banks to up their game on scam protections, and for greater transparency and stronger standards on fraud reimbursement to be made mandatory for all banks and payment providers.”