UK markets closed
  • NIKKEI 225

    -509.40 (-1.32%)

    +2.87 (+0.02%)

    +0.20 (+0.24%)

    -7.10 (-0.30%)
  • DOW

    -45.66 (-0.12%)
  • Bitcoin GBP

    -1,839.93 (-3.60%)
  • CMC Crypto 200

    0.00 (0.00%)
  • NASDAQ Composite

    -181.88 (-1.15%)
  • UK FTSE All Share

    +12.61 (+0.30%)

Banks putting customers ‘at risk of fraud’ with outdated online security

person using phone text code to login to website - Yiu Yu Hoi/Getty Images
person using phone text code to login to website - Yiu Yu Hoi/Getty Images

Banks are putting customers at risk of fraud by sending security codes via text, a study has found.

In an investigation into 13 current account providers, Which? found that many sent a one-time passcode by SMS even though the consumer group said this was the least secure way to authenticate customers because criminals were increasingly intercepting such texts.

Instead, the group awarded top marks to banks that asked customers to use a card-reader or their mobile banking app to login every time.

It identified the vulnerability as one of a series of security flaws on the websites and apps of some of the biggest banks, which it said were putting consumers at increased risk of falling victim to fraud.


Insecure passwords, lax checks on new payees and vulnerable login processes were among the weaknesses found by the consumer group.

Fraud costs £85 million in six months

It follows reports of 29,102 frauds in remote banking worth nearly £85 million to UK Finance, the industry body, in the first half of 2022.

For the research, Which? tested customer-facing security systems of 13 current account providers from September to November 2022, with help from independent security experts at Red Maple Technologies.

The banks were scored across four key categories – login, navigation and logout, account management and encryption – for both their online banking security and app security.

Among other issues, banks were marked down for not adequately blocking weak passwords, sending one-time passcodes or other sensitive information via text messages, which is the least secure approach, and failing to log customers out after five minutes of inactivity.

For logins – which include checks on password and passcode processes – HSBC topped the ranking with five out of five stars, followed by Starling, Lloyds, First Direct, Nationwide and Virgin Money on four stars. TSB, Santander, Barclays and NatWest received three stars.

Virgin Money got the lowest total scores for online (52 per cent) and app banking (54 per cent). The study found six outdated Virgin Money web applications which had potential vulnerabilities.

Virgin Money failed to adequately block insecure passwords and remove phone numbers from notifications, according to the research. It also found there were no security checks to pay someone new, change an email address or edit the details of a payee.

‘Robust, multi-layered controls’

A spokesman for Virgin Money said: “The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls.

“A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts.”

TSB scored 57 per cent for its app, the second lowest, but got a slightly higher score of 66 per cent for its online offering.

Which? said it still asks basic security questions such as “name your favourite food” to recover login details. It also failed to block insecure passwords and only required six characters. There was also a potentially vulnerable subdomain, which TSB said will be removed in 2023, and two outdated web applications.

TSB also lost points for using SMS-based security, not sending alerts when sensitive account changes were made and including phone numbers in new-payee notifications.

A spokesman for TSB said: “We continue to invest in our online and mobile services – and work with globally-leading tech firms to deliver both security and accessibility to our customers.

“TSB also tracks well across the industry on fraud prevention and we are the only bank that protects its customers with a guarantee to return their money should they ever fall victim to fraud.”

Only four scam texters prosecuted for fraud

Just four scam texters have been prosecuted for fraud in the past year despite an estimated 45 million people receiving them, official data has revealed.

Only four people were charged in the year to June 2022 for fraud by false representation, the offence which covers consumer phone fraud including text and call scams, according to the Home Office figures.

It comes despite more than eight in 10 (82 per cent) of the population receiving scam texts or calls in a three month period - equivalent to 44.6 million people, according to Ofcom research.

Scams are more commonly attempted via text messages with seven in 10 people (71 per cent) saying they have received a suspicious text, compared with 51 per cent saying they had received a suspicious live phone call.

Shadow Attorney General Emily Thornberry: “Fraud is the UK's most commonly experienced crime, but the level of enforcement against the parasites responsible is still pathetically weak and complacent.”

The four prosecutions in a year are the lowest on record, steadily decreasing from 14 in 2018, 11 in 2019, seven in 2020 and nine in 2021.

The number prosecuted for email phishing scams - where texts or calls try to entice victims onto fraudulent websites - also fell to a low of 37 in the year to June 2022, down from a high of 142 in the year to June 2020.

The disclosure comes after The Telegraph revealed last week how just one in 1000 frauds are solved by police, despite a 30 per cent increase in offences.

Official statistics show only 1,753 police officers and staff in England and Wales were primarily focused on economic crimes such as fraud in 2021 – amounting to just 0.8 per cent of the total police workforce.

One of those who was caught was computer science student Abdisalaam Dahir, who was jailed for 22 months for scam text messages purporting to be from organisations including Royal Mail, HMRC, banks and mobile phone providers.

His large scale “smishing” text messages run from equipment at his home in Enfield, north London, defrauded the public out of more than £185,000.

Security minister Tom Tugendhat, who chairs the Government fraud taskforce, pledged a new strategy would be announced “very soon” as he acknowledged “fraud has been a blight on too many communities.”

Fraud is expected to be elevated to the same status as terrorism with chief constables mandated to increase resources and combine capabilities in a new effort to combat scams that now account for up to 40 per cent of all crime.

An extra £400 million Government cash is being targeted at fraud in the next three years, to increase the number of officers and revamp Action Fraud with a new artificial intelligence computer system to target the criminal gangs.