A number of high street banks have been criticised by consumer group Which? for failing to adopt “two-factor” security checks that would protect customer's better against fraudulent activity.
Which? said Halifax Bank of Scotland, Lloyds Bank, Santander, TSB, Royal Bank of Scotland (including its NatWest brand) and Metro Bank had “consistently scored poorly” after analysing their security measures over four years.
They found that none of the six major banks had offered two-factor authentication when customers login, despite having the technology to do so.
Alex Neill, managing director of Which? Home & Legal, said: "The best banks in our test manage to use two-factor authentication without it being too onerous for their customers, so there's no excuse for others to sacrifice security."
The two-factor authentication uses two kinds of ID checks, including passwords and PINs in the first step, whilst the second step uses a card reader, phone or device which provides a single-use code enabling the customer to login.
Which? said that hackers who are able to access the first step of this authentication are able to access customers personal financial details.
Gabriel Wilson, from Ilex International’s UK consulting partner, Rivington Information Security said: “The scarcity of two factor authentication in the banking industry is down to weak guidance and lack of regulatory requirements. It’s also less expensive for banks to reimburse victims of online fraud, who have had their accounts compromised, than it is to implement two factor authentication.
“When these factors are combined with the sheer volume of existing regulations already in place, many not mandated, the focus of investment is not being used to adopt security best practices.”
Although two factor authentication will reduce unauthorised access to customer accounts, it will not stop customers falling for scams, said Mr. Wilson.
He added: “Banks and businesses need to start working with their customers and better educating them on the risks. The end user needs to understand the important part they play when it comes to the responsibility they have for their own data protection from cyber criminals.
“Many end users are still duped into handing over account passwords and log in details when receiving an email asking for an update or verification. Many still even fall for requests to pay an invoice for something they haven’t purchased from a company they haven’t engaged with.
Two-factor authentication is a very important element when it comes to protecting customers financial accounts, but equally, more needs to be done to educate the end user directly. Both sides working together will make a positive change to addressing the overall problem.”