A test of 11 high streets banks found that only five have adopted the more rigorous security checks to protect their customers, while the other six did not.
The consumer watchdog warned that hackers who are able to penetrate the first level of security at login can access sensitive financial details, which they can use to convince consumers they are talking to their bank – a tactic often used by fraudsters trying to trick a customer into transferring money.
Banks’s security systems stopped £7 in £10 of attempted fraud from occurring last year, according to data from Financial Fraud Action UK.
First Direct, HSBC, Barclays, M&S Bank and Nationwide were the only banks to offer the two-factor authentication login, which combines two different types of ID checks – typically something known by the customer, such as a password or Pin, with a physical device, such as a card reader or a mobile phone or device on which the customer get a single-use pass code.
Other institutions – including Lloyds Banking Group, which includes Bank of Scotland, Lloyds Bank and Halifax – as well as Royal Bank of Scotland and sister institution NatWest, did not have the two-step login, although Which? said that all of the banks’ logins were broadly secure.
Which? carried out the investigation by asking volunteers with current accounts at 11 banks to carry out a series of tasks, which were rated by security experts. The tests included account management, which covered setting up a new payee and transferring money, and changing personal details; encryption and navigation and logout, as well as logging in.
The experts checked whether the site prevents a customer from using the “back” button to access a previous secure session and whether it allows for two sessions to be open simultaneously on two different browsers or devices. Alex Neill, managing director of Which? Home and Legal, said: “The best banks in our test manage to use two-factor authentication without it being too onerous for their customers, so there’s no excuse for others to sacrifice security.
“Online banking is increasingly part of our daily lives and at the same time online scams are becoming more sophisticated. People can only do so much to protect themselves from fraud. It’s time for banks to shoulder more of the responsibility and introduce extra protections to safeguard their customers.”
A spokeswoman for Lloyds Banking Group said: “The findings do not provide an accurate reflection of the highly sophisticated security our customers benefit from that is undetectable in this research. We don’t consider the results accurately reflect these factors which have a material impact on how we protect our customers’ daily needs.”
A spokeswoman for NatWest and RBS said: “We take the online security of our customers very seriously, We have a layered security model that incorporates a number of different controls working in the background in addition to the information a customer enters at login.”
Last month, Which? used its super-complaint powers to call on the financial regulator to investigate whether banks could do more to protect people who are tricked into transferring money to a fraudster.