We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

Bank security flaws leave customers at risk

Room for improvement in anti-phishing measures

A padlock on a bank card

There are big differences in the security levels of online banking systems

Some banks are falling short when it comes to protecting their customers against online phishing scams, Which? Money has found.

In October, the British Bankers’ Association (BBA) issued a reminder that banks will never send emails linking to pages which ask for login details – a trick played by ‘phishing’ fraudsters when trying to obtain sensitive information.

But Which? Money has seen genuine emails from Barclays, HSBC, Metro Bank and NatWest which appear to undermine the BBA’s advice – inviting customers to log in to online banking and including a homepage link.

Find out more: How to spot a phishing email – be aware of scammers’ tricks

Following a link from an email to a bank’s homepage, and then through to online banking, can be risky. Fraudsters can easily send emails that appear genuine, but lead to scam sites.

Website security

And while many banks have improved online banking security, we think more could be done to reduce the risk of customers being hijacked by fraudsters before they get there. Of the 13 high street bank websites we visited, only Metro Bank enforced a secure connection on its main website. A secure connection guarantees that the contents of a webpage, and any login details, can’t be intercepted or tampered with.

On the other 12 websites, customers are only upgraded to a secure connection when they click the link to take them to online banking. A customer whose connection has been tampered with could be redirected to a fake ‘phishing’ page, bypassing the bank’s secure login page altogether. This technique has been used by hackers against bank customers in Poland, according to CERT Polska, the country’s computer security research institute.

Find out more: How to bank online safely – keep your details secure

None of the banks’ secure websites used a feature called Strict Transport Security. This tells customers’ web browsers, on the first visit, to always use the site over a secure connection, making it harder for hackers to get information.

Expert view

Experts say banks should make the most of technology to prevent phishing attacks. Ken Munro, a computer security expert at Pen Test Partners, said: ‘It would be wise to enforce secure browsing and Strict Transport Security on all connections.’

When we raised our concerns, HSBC and Barclays said they only included links to their homepage or marketing pages, while NatWest said it was ‘actively reviewing’ its approach. Metro Bank has removed links to its website from emails and is looking into Strict Transport Security.

More on this…

Back to top
Back to top