Bank security flaws putting customers at risk, warns Which?

Security flaws the websites of banks are putting customers at increased risk of falling victim to fraud, according to an investigation from Which?.

Tests conducted by Which? found that some banks were failing to log users out of systems after periods of inactivity, not adequately blocking weak passwords or sending sensitive information via SMS.

The consumer body also discovered that some banks allowed access to accounts from multiple web browsers or IP addresses at the same time, without flagging this as a potential cyber attack.

Other banks were sending customer notifications which included a phone number or a weblink. Which? said that these can be a gift to scammers, who often replicate texts and emails to trick people into calling them or entering their details on a fake website.

Virgin Money ranked the lowest in the investigation, with Which? saying the bank did not adequately block insecure passwords and remove phone numbers from notifications.

Virgin Money also lacked the necessary security checks to pay someone new, change an email address or edit the details of a payee, it said.

A spokesperson for Virgin Money said: “The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls. A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts.”

Over 29,100 cases of remote banking fraud were reported to UK Finance in the first half of 2022, this included scammers gaining access to customers’ bank accounts and making an unauthorised transfer of money from the account.

Commenting on the news Sam Richardson, Which? Money deputy editor, said: “Banks should not be leaving these open doors for scammers to exploit and must up their game to protect their customers properly.”

He added: “By making improvements, such as blocking weak passwords, banks can take an important step in preventing unscrupulous fraudsters from attempting to steal money and personal data from consumers.”

    Share Story:

Recent Stories


Data trust in the AI era: Building customer confidence through responsible banking
In the second episode of FStech’s three-part video podcast series sponsored by HCLTech, Sudip Lahiri, Executive Vice President & Head of Financial Services for Europe & UKI at HCLTech examines the critical relationship between data trust, transparency, and responsible AI implementation in financial services.

Banking's GenAI evolution: Beyond the hype, building the future
In the first episode of a three-part video podcast series sponsored by HCLTech, Sudip Lahiri, Executive Vice President & Head of Financial Services for Europe & UKI at HCLTech explores how financial institutions can navigate the transformative potential of Generative AI while building lasting foundations for innovation.

Beyond compliance: Building unshakeable operational resilience in financial services
In today's rapidly evolving financial landscape, operational resilience has become a critical focus for institutions worldwide. As regulatory requirements grow more complex and cyber threats, particularly ransomware, become increasingly sophisticated, financial services providers must adapt and strengthen their defences. The intersection of compliance, technology, and security presents both challenges and opportunities.

Unleashing generative AI: A force multiplier for financial crime teams
This FStech webinar, sponsored by NICE Actimize sees industry experts examine the revolutionary impact of generative AI on financial crime operations, and provides actionable insights to enhance your compliance strategies.