The digital revolution has swept through every aspect of our lives, including banking and financial services. Much of today’s banking is done on computers or smartphones, making it extremely convenient and quick. However, the moot question is whether online banking is secure and free of flaws. According to a report by Which?, a company championing consumer issues, some of the websites and mobile applications of the UK’s retail banks have been found to have serious security flaws. As a result of these flaws, customers may be vulnerable to digitally enabled fraud. The banks that scored the lowest for website security as per the report were TSB, Virgin Money, The Co-Operative Bank, and Nationwide. In a joint assessment of banks by Which? and security testing specialists Red Maple, the ones offering the most secure services were NatWest, Lloyds, HSBC, Barclays, First Direct, and Santander.
Similarly, for mobile app security, which included Chase, the US newcomer, the low scoring banks were Virgin Money, TSB, and Lloyds. On the other hand, the most secured were HSBC, Barclays, and Starling, respectively. The assessment was carried out for several metrics, as mentioned below:
- Failure to block weak passwords
- Sending sensitive data and one-time passcodes via SMS
- Whether or not inactive customer browser sessions are timed out
- Failure to prevent account access via multiple browsers or IP addresses at once
The deputy editor at Which?, Sam Richardson, stated that banks should not leave these open doors for scammers to exploit and must up their game to protect customers. He added, “By making improvements, such as blocking weak passwords, banks can take an important step in preventing unscrupulous fraudsters from attempting to steal money and personal data from consumers.” The study found Virgin Money to be one of the worst-rated banks, with scores of 52% out of 100% on its website and 54% on its app, respectively. The bank appeared to have the weakest security measures in place and failed on multiple counts, including navigation, logout, and account management.
According to Red Maple, Virgin Money had six outdated apps with potential vulnerabilities. Further, what compounds matters for Virgin Money is its inability to block weak passwords or censure phone numbers on notifications. It also does not carry out any security checks if an account holder seeks to make a payment to someone new, change his or her email address, or edit a payee’s details.
In a similar vein, TSB scored 66% for its website security and 57% for its app. It displayed a highly lax approach to password security and exposed a potentially vulnerable subdomain on the Internet. In the assessment, TSB lost points for using SMS-based security, including phone numbers in new-payee notifications, and not alerting account holders to changes. Nationwide too scored 63% for website and 67% for app security. It was found to be wanting in notifying customers of any changes to details. On its part, a spokesperson for Virgin Money stated, “The safety and security of our banking services is our top priority, and we are continually monitoring, assessing, and improving our security controls.” The banks that received low ratings in the study tried to put up a brave face and stated their commitment to strengthening the security of their systems.
The study exposed flaws in some banks that, if not addressed in a timely manner, could be exploited by threat actors. According to Manish Chaudhari, CISO, Cybernetic Global Intelligence, a notable cybersecurity company, the retail banking sector ought to do more to enhance cyber defences against sophisticated scammers. It should not hide behind semantics or downplay the points raised by the study. Instead, it should go all guns blazing to secure their websites and mobile apps to provide an omnibus security umbrella.
How Should Retail Banks (and others) Strengthen Their Cyber Security Defenses?
Retail banks (and other companies) should find out whether their digital infrastructure is vulnerable to cyber attacks by taking several cyber security measures, including penetration testing. They may hire the services of cyber-security companies, such as Cybernetic Global Intelligence, to help detect flaws and fix them. Penetration testing enables certified ethical hackers to access the system and identify any flaws, which can otherwise be exploited by real cyber criminals. The exercise involves activities like information gathering, footprinting, vulnerability assessment, exploitation, and reporting.
Manish Chaudhari opines that penetration or pen testing can serve as an excellent tool to analyse the IT infrastructure of a retail bank and test its servers, endpoints, network devices, mobile devices, and wireless networks. Once the flaws or vulnerabilities are identified, remediation efforts are conducted to thwart any potential cyberattacks. The major benefits of such testing include anticipating emerging security risks, identifying gaps in current security practices, and achieving regulatory compliance, among others.
It is no secret that many retail banks (and organizations) are operating with less than optimal cyber security measures. The study by Which? and Red Maple has hit the nail on the head for these entities, forcing them to acknowledge vulnerabilities and act against them. Retail banks will do well to shore up their digital infrastructure and prevent potential threat actors from acting against them by implementing penetration testing. In doing so, they may hire the services of cyber security companies like Cybernetic Global Intelligence by dialling 1300 292 376 or sending an email to email@example.com.