Banks 'falling short on two factor online security'
Written by Hannah McGrath
Less than half of Britain’s leading High Street banks are offering customers two-factor authentication to secure their online accounts from hacking attempts, according to a Which? investigation.
The consumer watchdog partnered with cyber security firm Sure Cloud to carry out an assessment of online security procedures at 12 leading retail banks. It found that only five have adopted a two-factor authentication (2FA) login, which requires a password and further information in order to gain access to a customer’s account.
Metro Bank was found by the study to have the weakest password requirements and was penalised for its lack of 2FA login, followed by Natwest, which allowed multiple online banking sessions at the same time.
First Direct was the best performer, with a rating of 76 per cent, with its security systems requiring customers to generate a temporary code via its mobile banking app, or a physical secure key in order to access the full account site, change passwords and set up a new payee. Usernames and passwords could only be changed by calling the bank.
HSBC came second overall, with a rating of 73 per cent and was found to perform well in 2FA login and website security, although the report stated there was still room for improvement in notifying customers by email or text to changes of address online, as these don’t currently require further checks.
Only Tesco Bank made 2FA login compulsory, while most of the top scoring banks offered a fall-back method in which customers log in with only their username and memorable information.
The Which? report stated: “Balancing security with usability isn’t straightforward - and all banks have sophisticated and evolving systems behind the scenes that we can’t test - but we think analysing customer-facing security offers meaningful comparison. And on that score, the truth is that more than half of the banks we tested are yet to adopt two-factor authentication login.”
The researchers contrasted security measures offered to protect online banking accounts with access to Gmail, Microsoft, Hotmail and Twitter accounts, all of which give consumers the option of some form of 2FA.
Volunteers with accounts at the major banks tested key security features including; account management, meaning ease of a hacker changing account details and transferring money; encryption, cypher strength and vulnerability to ‘clickjacking attempts’ which load fake wepages over the originals will malicious links and buttons; Login, including ease of username and password recovery and 2FA; and navigation, including multiple sessions and one-click logout.
The report concluded: “Customers must do their bit to keep online accounts secure but, ultimately, the responsibility lies with the banks.”