How safe is your banking app?
Convenient, easy to use and in your pocket - mobile banking apps have made everyday banking more accessible than ever for millions of us, but how safe is your banking app?
More than 29,000 cases of remote banking fraud were reported to UK Finance in the first half of 2022, with scammers gaining access to bank accounts via internet, telephone or mobile banking and making an unauthorised transfer of money from the account.
It’s a boom time for app-based banking, as more and more local bank branches close. And apps should be the more secure option, unlike websites, fewer viruses and malware are created to attack apps.
And if you’re worried about phone theft, most mobile banking apps don't store your bank details on your phone but instead access them from a secure data centre, meaning your mobile itself should never hold your personal bank information.
Subscribe to MoneyWeek
Subscribe to MoneyWeek today and get your first six magazine issues absolutely FREE
Sign up to Money Morning
Don't miss the latest investment and personal finances news, market analysis, plus money-saving tips with our free twice-daily newsletter
Don't miss the latest investment and personal finances news, market analysis, plus money-saving tips with our free twice-daily newsletter
But, the latest research from the consumer group Which?, found basic security flaws on some of the biggest banks’ apps are putting us at increased risk of falling victim to fraud.
How safe is your banking app?
The consumer group tested the customer-facing security systems of 13 current account providers from September to November 2022, with help from independent security experts at Red Maple Technologies.
Scoring the banks in four key categories:
- login
- navigation and logout
- account management
- encryption
Banks were marked down for issues such as: not adequately blocking weak passwords, sending one-time passcodes or other sensitive information via text messages - the least secure approach - and failing to log customers out after five minutes of inactivity.
Points were also lost for allowing simultaneous access to accounts from multiple web browsers or IP addresses, without flagging it as a potential cyber-attack, and for sending customers notifications that include a phone number or web link.
The latter can be a gift to scammers who often replicate texts and emails to trick people into calling them or entering their details on a fake website.
Sam Richardson, Which? money deputy editor, said: "Our latest tests found several banks were missing important online and app protections, which could leave consumers worryingly exposed to unscrupulous fraudsters.
Bad news for TSB and Virgin customers
The lowest-scoring app in the tests belongs to Virgin Money.
Red Maple Technologies found six outdated Virgin Money web applications which had potential vulnerabilities. The bank noted minor vulnerabilities on three and said these will be corrected.
Which? also claims Virgin Money didn’t adequately block insecure passwords and remove phone numbers from notifications. Worryingly, there were no security checks to pay someone new, change an email address or edit the details of a payee.
The TSB app scored second lowest and was criticised for still asking basic security questions such as ‘name your favourite food’ to recover login details. It also failed to block insecure passwords and only requires a minimum of six characters - while longer passwords are more secure.
TSB also lost points for using SMS-based security, not sending alerts when sensitive account changes were made and including phone numbers in new-payee notifications. TSB said it is reviewing alerts and password complexity as part of its digital strategy. The bank told Which? it has now removed phone numbers from all SMS alerts, except for one which is due to be removed in February.
You can find the full list of the most and least secure banking apps on the Which? Website.
Banking app security tips from the experts
Concerned? It’s understandable if you are. But it’s important to remember banking apps are still one of the more secure ways you can access your banking information. And there are several straightforward steps you can take to ensure your app is as secure as possible.
Amir Tarighat, digital privacy expert and CEO of cyber-security company Agency recommends fives steps you can take to keep your banking app secure:
- Turn on 2FA. Easy access to your accounts through mobile banking apps can take the headache of managing your finances. But with easy access comes increased risk. One of the best ways to secure your accounts is to enable two-factor or multi-factor authentication. Even if your device is lost, stolen, or otherwise compromised, turning on this additional security measure ensures that no one else will be able to log into your accounts.
- Update your operating system. Make sure the operating systems and individual banking apps on your mobile devices are up to date. Most software updates are meant to address security vulnerabilities that leave the door open to hackers. If you're running on an out-of-date system, cybercriminals can access your devices to plant malware and steal your personal data, so you should routinely check for available updates.
- Avoid WiFi hotspots. If your WiFi network isn’t secure, hackers can hijack your session and log in as you, leaving your accounts up for grabs. Using banking apps in hotels, bars, airports, or anywhere else with public WiFi could leave you vulnerable to cyberattacks, so wait until you’re connected to a network you trust to access your bank account.
- Check your exposure. If you’re worried that your banking app has already been exposed, you can check which of your accounts might be compromised by using Agency’s free Dark Web Report.
- Brush up on the most common scams. Scammers are persistent, but they’re not terribly original. Research the most common scams that appear every year (misspelt URLs to fake sites, fake confirmation or delivery emails, gift card scams, and charity scams, just to name a few.) Recognizing the hallmarks of these scams will help you protect your financial information when banking online.
Biometric security checks, like fingerprints or face scans, can also turn the tables on any would-be hacker or scammer. Gus Tomlinson, Chief Product Officer at GBG, the digital identity expert says also recommends setting up biometric security checks
“Banking apps are designed to be secure but that doesn't mean that human error or fraudsters aren’t savvy enough to get through them.
“The biggest vulnerability comes from the user’s device, which is why implementing things like biometric security checks is key, and not just for banking but all uses of money.
“Another tip is to always have your phone linked to other devices. This means the moment you have lost it, or it has been stolen, it can be disabled. If this happens, make sure you inform your network provider and your bank so both can suspend your mobile banking immediately. “
Sign up to Money Morning
Our team, led by award winning editors, is dedicated to delivering you the top news, analysis, and guides to help you manage your money, grow your investments and build wealth.
Adam has been a personal finance and consumer journalist, editor and commentator for several years, working to save you money and protect you from scams.
His work has appeared in the HuffPost, Which?, i paper and This is Money, plus various TV and radio programmes, which include Rip Off Britain, 5 News, and Newsround, to name a few.
Adam was previously personal finance editor at MoneyWeek' sister site, The Money Edit, and before that he was the senior consumer rights editor at Which? He is currently senior editor at NerdWallet.
Adam has an LLB degree from the University of East Anglia. When he isn't working he's out walking his dog, or watching Norwich City yo-yo between leagues.
-
Investing in a dangerous world: key takeaways from the MoneyWeek Summit
If you couldn’t get a ticket to MoneyWeek’s summit, here’s an overview of what you missed
By MoneyWeek Published
-
Autumn in Crete, the Greek island of culture
MoneyWeek Travel Katie Monk reviews the InterContinental Crete, Grecotel LUXME White Palace and the adults-only Asterion Suites & Spa
By Katie Monk Published
-
Act now to bag NatWest-owned Ulster Bank's 5.2% easy access savings account
Ulster Bank is offering savers the chance to earn 5.2% on their cash savings, but you need to act fast as easy access rates are falling. We have all the details
By Marc Shoffman Last updated
-
Moneybox raises market-leading cash ISA to 5%
Savings and investing app MoneyBox has boosted the rate on its cash ISA again, hiking it from 4.75% to 5% making it one of top rates. We have all the details.
By Ruth Emery Published
-
October NS&I Premium Bonds winners - check now to see what you won
NS&I Premium Bonds holders can check now to see if they have won a prize this month. We explain how to check your premium bonds
By Kalpana Fitzpatrick Published
-
The best packaged bank accounts
Advice Packaged bank accounts can offer great value with useful additional perks – but get it wrong and you could be out of pocket
By Tom Higgins Last updated
-
Bank of Baroda closes doors to UK retail banking
After almost 70 years of operating in the UK, one of India’s largest bank is shutting up shop in the UK retail banking market. We explain everything you need to know if you have savings or a current account with Bank of Baroda
By Vaishali Varu Published
-
How to earn cashback on spending
From credit cards and current accounts to cashback websites, there are plenty of ways to earn cashback on the money you spend
By Vaishali Varu Last updated
-
John Lewis mulls buy now, pay later scheme
The CEO of John Lewis has said the retailer will consider introducing buy now, pay later initiatives for lower-priced items.
By Pedro Gonçalves Published
-
State pension triple lock at risk as cost balloons
The cost of the state pension triple lock could be far higher than expected due to record wage growth. Will the government keep the policy in place in 2024?
By Nicole García Mérida Last updated