Bank security flaws leave customers at riskRoom for improvement in anti-phishing measures

24 November 2014

A padlock on a bank card

There are big differences in the security levels of online banking systems

Some banks are falling short when it comes to protecting their customers against online phishing scams, Which? Money has found.

In October, the British Bankers’ Association (BBA) issued a reminder that banks will never send emails linking to pages which ask for login details – a trick played by ‘phishing’ fraudsters when trying to obtain sensitive information.

But Which? Money has seen genuine emails from Barclays, HSBC, Metro Bank and NatWest which appear to undermine the BBA’s advice – inviting customers to log in to online banking and including a homepage link.

Find out more: How to spot a phishing email - be aware of scammers' tricks

Following a link from an email to a bank’s homepage, and then through to online banking, can be risky. Fraudsters can easily send emails that appear genuine, but lead to scam sites.

Website security

And while many banks have improved online banking security, we think more could be done to reduce the risk of customers being hijacked by fraudsters before they get there. Of the 13 high street bank websites we visited, only Metro Bank enforced a secure connection on its main website. A secure connection guarantees that the contents of a webpage, and any login details, can’t be intercepted or tampered with.

On the other 12 websites, customers are only upgraded to a secure connection when they click the link to take them to online banking. A customer whose connection has been tampered with could be redirected to a fake ‘phishing’ page, bypassing the bank’s secure login page altogether. This technique has been used by hackers against bank customers in Poland, according to CERT Polska, the country’s computer security research institute.

Find out more: How to bank online safely - keep your details secure

None of the banks’ secure websites used a feature called Strict Transport Security. This tells customers’ web browsers, on the first visit, to always use the site over a secure connection, making it harder for hackers to get information.

Expert view

Experts say banks should make the most of technology to prevent phishing attacks. Ken Munro, a computer security expert at Pen Test Partners, said: ‘It would be wise to enforce secure browsing and Strict Transport Security on all connections.’

When we raised our concerns, HSBC and Barclays said they only included links to their homepage or marketing pages, while NatWest said it was ‘actively reviewing’ its approach. Metro Bank has removed links to its website from emails and is looking into Strict Transport Security.

More on this...