/Security

Fintech News that focuses in on Security
Most UK banks failing to protect online customers with two-factor authentication

Most UK banks failing to protect online customers with two-factor authentication

UK consumers' association Which? has hit out at much of the banking industry for failing to protect online customers with two-factor authentication (2FA).

Which? says that seven out of Britain's top 12 online banking providers do not offer 2FA. despite having the technology to do so.

The guilty parties are named as the Co-operative Bank, Clydesdale and Yorkshire Bank, Lloyds Bank (and sisters Bank of Scotland and Halifax), Metro Bank, NatWest and RBS, Santander and TSB.

Which? argues that this is dangerous in an era where crooks can glean valuable information about people from social media, rendering passwords less safe.

Things could be about to change, with more payment providers likely to adopt 2FA ahead of new ‘strong customer authentication’ regulations, due to be introduced from September.

Stuart Rye, director of business development, financial services, Fujitsu UK, says banks are under increasing scrutiny from both customers and the government.

"While we don’t expect biometric adoption to happen overnight, many organisations looking to digitally transform will find themselves reevaluating their current systems and investing in more efficient and effective measures," says Rye.

Overall, Which? ranks first direct as the top bank website, based on an evaluation of five factors: login, encryption, account management, and navigation and logout.

First direct scores 76%, ahead of its owner HSBC on 73% and Barclays on 68%. At the bottom of the table are Metro on 52%, Natwest on 53% and Santander on 54%.

Comments: (8)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 31 January, 2019, 17:41Be the first to give this comment the thumbs up 0 likes

What will happen to third-party PFM apps like Money Dashboard if the culprit banks implement 2FA via, say, Mobile OTP? Will the PFM app still work? If it stops working, will consumer advocates praise the said banks for improving security for implementing 2FA? Or will they diss them for being anti-competitive by blocking access to the PFM, the way AmEx is getting panned for blocking access to Curve?

Hitesh Thakkar
Hitesh Thakkar - FIS Payments Software and Services India - India 01 February, 2019, 14:52Be the first to give this comment the thumbs up 0 likes

2FA using Mobile OTP is common implementation where as here emphasis in this post seems to be inlcined towards Biometric authentication (Fujitsu UK which is leader in palm vein biometric authentication :))

Ofcourse, Face and Voice based authentication can be explored as second factor rather than good old OTP.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 01 February, 2019, 15:21Be the first to give this comment the thumbs up 0 likes

Even if Face or Voice is used as the second factor for 2FA, PFM access would get disabled. My comment remains. 

Maximiliaan Van De Poll
Maximiliaan Van De Poll - Cybernetica - Tallinn 13 February, 2019, 09:39Be the first to give this comment the thumbs up 0 likes

Biometrics is certainly an option, but there are also cryptographic solutions with higher levels of assurance available. One thing always worth noting on this topic is that OTPs are not 2FA (they're 2SV) and should be avoided, as they're effectively the next worst thing after just a password. 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 13 February, 2019, 12:50Be the first to give this comment the thumbs up 0 likes

Mobile OTP is listed as a 2FA technique by Google Snippet, Wiki and at least one more top search result. Besides, it's used widely by many leading websites as a way of providing 2FA.

So, while I'm no fan of Mobile OTP and I might even consider it to be worse than password, I respectfully disagree with the notion that Mobile OTP is not 2FA. Of course, it is.

In any case, this has nothing to do with Mobile OTP but any type of 2FA technique.

My basic question bears repeating: If a PFM stops working because a few banks have implemented 2FA, will consumer advocates praise the said banks for improving security by implementing 2FA OR will they diss the said banks for being anti-competitive by blocking access to the PFM?

Maximiliaan Van De Poll
Maximiliaan Van De Poll - Cybernetica - Tallinn 13 February, 2019, 13:10Be the first to give this comment the thumbs up 0 likes

2FA refers to two identity factors being used, while OTPs use only factor, twice. Happy to debate it, but of course, what it's called isn't the point, though it is in the interest of service providers to refer to OTPs as 2FA, because it sounds better.

With regards to PFM - what is more imporant? Protecting your money, or managing it? If the concern that necessary security will drive customers away, then it's worth considering customers having their data and money stolen are likely to leave much faster. 

 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 13 February, 2019, 18:02Be the first to give this comment the thumbs up 0 likes

Uh oh, I think I understand the source of confusion. I mentioned in an earlier comment about Face or Voice being used as the second factor for 2FA. I meant Mobile OTP in the same vein. Implicit is that Password is used as the first factor. Without that, even Biometrics will only be one factor and won't qualify to be 2FA.

Maximiliaan Van De Poll
Maximiliaan Van De Poll - Cybernetica - Tallinn 14 February, 2019, 06:401 like 1 like

Yes, you're right, Ketharaman, my misunderstanding. 

 

Register now for FICO Fintech Collections Forum!

Trending Stories

Featured Job
All Jobs »
London, UK

Sales Director, Private Equity Solutions (London, UK)

Competitive base, double ote, benefits, stock options

22 Jul