Which? criticises online banking security
27 August 2009 | 10728 views | 2
UK consumer group Which? has accused Abbey and Halifax of employing poor online security measures, leaving customers vulnerable to fraud.
Which? Computing says Abbey and Halifax have "poor" consumer-facing security. Barclays is praised for its "excellent" measures, with First Direct, Lloyds TSB, Nationwide, NatWest and RBS all graded as "good". HSBC and Alliance & Leicester are described as "average".
Which? criticises Halifax for asking three pieces of information to confirm a customer's identity. As each entry is typed in full, this makes the information vulnerable to a simple keylogger, a virus that sits on a computer and tracks every keystroke with the aim of collecting passwords.
Keylogging software played a major part in the doubling of online banking fraud - from £22.6 million to £52.5 million - in 2008, claims Which?
In contrast, Barclays and Lloyds TSB ask customers to use drop-down menus, preventing keyloggers from quickly capturing passwords.
Barclays is also praised for making customers use handheld chip and PIN devices to authenticate their identity at log in and to sign transactions.
The study also criticises Abbey, Alliance & Leicester, HSBC and Halifax for not immediately logging users out when they browse to other sites, meaning someone else could take over the session, leaving accounts vulnerable if accessed on a shared computer.
Which? also found significant differences in how well money transfers appeared to be protected. Abbey, First Direct, Halifax and HSBC have no visible security controls for money transfers, so if a banking session is hijacked, a criminal can enter the amount they want to.
However, Which? only looked at customer facing security, failing to assess back-office measures. A Halifax spokesman told Sky News that the vast majority of its online security is not visible to customers and that this is to make it as easy as possible to use its site.
Sarah Kidner, editor, Which? Computing says: "There are surprisingly big differences between big banks' visible online security systems. Some simple measures, like the use of drop-down menus, could improve safety considerably. The banks may say it's the hidden security measures that count, but to have real confidence in an online account, customers need to see security in place."