Uncovering High Street Bank’s Mobile App & Online Security Gaps

In today’s digital age, Online & Mobile Banking have become the norm for millions of customers in the UK. However, a recent 2024 Report by the respected consumer magazine “Which?” has raised alarming concerns about the security measures implemented by some of the country’s major high street banks.

The report scrutinized the Mobile App & Online Security Practices of several banks across Four Key Dimensions – Login Security (30%), Security Best Practices (30%), Account Management / Navigation (25%) & Logout Processes (15%). TSB, the Co-operative Bank & Lloyds Bank (includes Subsidiaries Halifax & Bank of Scotland) received particular criticism for apparent security lapses identified during this in-depth testing.

TSB ranked lowest for mobile app security with a score of just 54%, while its Online Security Score of 67% was the second-lowest among Banks evaluated. Notably, the report flagged issues with the TSB app’s handling of sensitive user data, which could potentially be accessed by other apps on the same device. Additionally, User Credentials were stored in a manner susceptible to unauthorised access.

The Co-operative Bank performed poorly in both Online (61% score) & Mobile App Security (57% score). Glaring gaps included a lack of mandatory two-factor authentication and failure to prevent customers from creating weak passwords. Perhaps most concerning was the ability for users to log in from multiple IP addresses concurrently without terminating previous sessions.

While Lloyds Bank did not face specific Mobile App Security criticisms, its practice of not automatically logging out inactive users after 5 Minutes raised eyebrows. The bank defended this approach citing accessibility needs, but security experts warn it unnecessarily exposes accounts to potential misuse if left unattended.

The Security weaknesses identified were preventable issues that should have been caught during the banks’ internal review processes and penetration testing. As an ex-member of HSBC’s Security Team (well done to the HSBC Team for being the Top-Ranked Bank for Mobile App Security) and ex-CISO of one of the biggest High Street Bank in Hong Kong, it is doubtful these lapses would have persisted through their security vetting. The report indicated that they are not isolated cases.

The Mobile-Only Challenger bank Monzo failed on Security Best Practices, raising questions about their security investment and processes. It appears Monzo still has a long way to catch up to traditional High Street Banks in this critical area.

In response, the implicated Banks acknowledged the need for prompt remediation while reiterating commitments to Cyber Security. Investing in robust security controls and expertise was stated as an ongoing priority to Balance Security, User Experience & Accessibility.

As Online & Mobile banking becomes increasingly ubiquitous, safeguarding customer data must be paramount for financial institutions. The “Which?” Magazine findings serve as a wake-up call for high street banks to prioritize rigorous security practices and regain customer trust. Consumers deserve Assurance that their financial wellbeing is protected against the ever-evolving threats of Cybercrime.