TSB, The Co-operative Bank and Monzo have been named the UK’s worst major banks for mobile app security by consumer group Which? amid warnings that scammers are increasingly targeting customers via their phones.
The group reviewed the apps and websites of Britain’s 13 largest current account providers between January and February, with assistance from computer security experts.
Which? rated the banks on their login procedures, security “best practice”, account management and navigation and logout. Its researchers were not able to test back-end security systems.
While each bank used multi-layered security helping to reduce the chance of major breaches, Which? said it believed that some towards the bottom of its league tables “fell short of the high standards customers should expect”.
TSB scored 54 per cent for its mobile app security and 67 per cent for its online security – coming in bottom and second-bottom respectively.
Which? said TSB’s handling of sensitive data meant it could be read by other apps running on the phone and that the app stores users’ details “in an insecure manner”. The bank said the matter was under review and a fix would be “considered in the future”.
Researchers also found TSB sent a phone number in an SMS alert, which could be replicated by scammers. The bank said it would remove the number from this alert, having already done so for others.
Which? added that TSB’s password requirements are only six characters and let users choose “insecure” combinations which are easier for scammers to crack.
TSB said: “We continue to strengthen the security of our internet and mobile banking while delivering a positive and convenient user experience for customers. That’s reflected in our high app store ratings.”
Which? ranked Co-op Bank bottom for online security, with a score of 61 per cent. It was second-to-last for mobile app security, with a score of 57 per cent.
The group said Co-op Bank was the only firm that failed to require a two-factor authentication login on a test laptop and that it also does not block customers from setting weak passwords.
It added that researchers could be logged in from two different IP addresses at once, and, like TSB, there were phone numbers in SMS alerts.
The bank said: “We are constantly reviewing and enhancing our security controls and we will be delivering a number of further improvements in 2024 to give our customers peace of mind that they can continue to bank safely and securely with us.”
Lloyds was the only bank that failed to log out website users after five minutes of inactivity. The group said this feature makes banking easier for its vulnerable customers.
Customers are increasingly using mobile phones as their primary way of accessing banking services, with a flurry of online-only and app-based offerings emerging in recent years to meet the demand.
Nine-year-old Monzo, which only offers online personal banking for emergencies, came third-bottom for mobile app security with a score of 60 per cent.
The digital-only challenger was also listed by the Payments Systems Regulator last October as one of the major banks most hit by fraud and least likely to refund customers for 2022.
A spokesperson said it used “cutting-edge technology like machine learning, as well as hiring the best people in the industry” to keep customers’ money safe. “With fraudsters always evolving their tactics, we continue to invest heavily in new ways to tackle financial crime and launch leading and industry-first tools to protect our customers,” they added.
Starling and Natwest/RBS topped the Which? ranking for online security, both scoring 87 per cent, while HSBC came top for mobile app security with a score of 78 per cent.
Sam Richardson, deputy editor of Which? Money, said: “While our investigation found no major security issues, there were some areas of concern that we think the banks in question need to urgently address, so that sophisticated scammers can’t use loopholes to target innocent victims.
“With fraudsters still relentless in their pursuit of our money and a general election looming, the next government must make fighting fraud a national priority, with a fraud minister installed to work across multiple government departments.”
A spokesperson for banking trade body UK Finance said the industry “invests heavily in cyber security and data sharing, seeking to detect and prevent malicious actors from infiltrating systems, stealing data, and committing fraud”.
“As the fraud landscape evolves, banks update and reinforce security measures on their platforms to mitigate potential threats, whilst maintaining a positive user experience for customers,” they continued.