Banks are not doing enough to protect us from online fraud, according to the latest investigation into banking security published by consumer group Which? Money
by Fred Heritage
Which? Money’s yearly rating of online and mobile banking services finds that many need improvement in several key areas. From failing to invest in the latest website protections, to neglecting basic security measures like stronger passwords, banks are putting their customers at risk of fraud.
Together with 6point6, an independent cybersecurity firm, Which? looked at the front-end online security of 15 popular UK current account providers. The banks were rated on encryption and protection, login security, account management and navigation.
Some fared far worse than others. Metro Bank, for example, received the lowest overall result for online security, with a score of just 53%. The bank’s login, navigation, and logout security are rated particularly badly, and Which? found potential weaknesses in subdomains of Metro Bank's website that could allow hackers to compromise the server, the group said in a press release.
Similar subdomain issues were found with high street lenders First Direct and Lloyds. First Direct, according to the press release, addressed the issue “as soon as Which? reported it”, while Lloyds said its subdomain was being decommissioned and didn’t pose a security risk.
Growing pains
Rates of internet banking fraud increased by 97% in the first half of 2021 according to the Which? press release, as criminals continuously looked for new and sophisticated ways to target potential victims.
It’s not just a UK issue. Recent statistics from LexisNexis Risk Solutions show that North American banks are becoming just as susceptible to online fraud risks as their UK counterparts. In its latest study on the True Cost of Fraud, LexisNexis finds that monthly fraud attacks on banks earning more than US$10m in annual revenue spiked in 2021, increasing from an average of 1,977 in 2020 to 2,320 in 2021, according to an article in Banking Exchange.
The study, which surveyed 1,118 risk and fraud executives in retail and ecommerce firms in both the US and Canada, shows that fraud is now costing banks more. For every dollar lost to fraud in 2021, US financial services firms experienced US$4 in costs, up from US$3.64 just as the pandemic began in 2020 – a 7.1% rise, according to the Banking Exchange article.
It says that the rise in fraud costs for banks can be attributed to the pandemic pushing more customers online, and into digital transactions. “As people rely on their smartphones, the surge was greater on mobile channels,” it says.
According to the article, online banking accounted for 33% of the cost of fraud to US banks in 2021, up from 26% in 2020. Meanwhile, “mobile transactions accounted for 29% of costs, up from 20%” the previous year. “Banks noted that identity verification was a top challenge for online and mobile channels at all stages of the customer journey,” it adds.
Creative criminals
Increasingly, fraudsters are focusing their activity on authorised push payment (APP) fraud – a type of online fraud whereby bank customers are duped into authorising payments to accounts controlled by the criminal.
UK Finance, a trade association for the UK banking sector, finds in its latest Half year fraud update report that APP fraud losses increased 71% in the first half of 2021, surpassing the amount of money stolen via credit and debit card fraud for the first time in the UK. “Using tactics such as scam phone calls, text messages and emails, as well as fake websites and social media posts, criminals seek to trick people into handing over personal details and passwords,” the report’s authors write. “This information is then used to target victims and convince them to authorise payments.”
Whatever guise it appears in, the extent of online fraud around the world is now so great that it can be considered a threat to national and international security. UK Finance has said the problem is becoming too big for banks to deal with themselves, and that in the future, tackling online fraud will require a coordinated approach from across all sectors.