How safe is your banking app?

More than 29,000 cases of remote banking fraud were reported to UK Finance in the first half of 2022, with scammers gaining access to bank accounts via internet, telephone or mobile banking and making an unauthorised transfer of money from the account.

It’s a boom time for app-based banking, as more and more local bank branches close. And apps should be the more secure option, unlike websites, fewer viruses and malware are created to attack apps.

And if you’re worried about phone theft, most mobile banking apps don't store your bank details on your phone but instead access them from a secure data centre, meaning your mobile itself should never hold your personal bank information.

But, the latest research from the consumer group Which?, found basic security flaws on some of the biggest banks’ apps are putting us at increased risk of falling victim to fraud. 

How safe is your banking app? 

The consumer group tested the customer-facing security systems of 13 current account providers from September to November 2022, with help from independent security experts at Red Maple Technologies. 

Scoring the banks in four key categories:

1. login
2. navigation and logout
3. account management
4. encryption

Banks were marked down for issues such as: not adequately blocking weak passwords, sending one-time passcodes or other sensitive information via text messages - the least secure approach - and failing to log customers out after five minutes of inactivity.

Points were also lost for allowing simultaneous access to accounts from multiple web browsers or IP addresses, without flagging it as a potential cyber-attack, and for sending customers notifications that include a phone number or web link. 

The latter can be a gift to scammers who often replicate texts and emails to trick people into calling them or entering their details on a fake website. 

Sam Richardson, Which? money deputy editor, said: "Our latest tests found several banks were missing important online and app protections, which could leave consumers worryingly exposed to unscrupulous fraudsters.

Bad news for TSB and Virgin customers

The lowest-scoring app in the tests belongs to Virgin Money.

Red Maple Technologies found six outdated Virgin Money web applications which had potential vulnerabilities. The bank noted minor vulnerabilities on three and said these will be corrected. 

Which? also claims Virgin Money didn’t adequately block insecure passwords and remove phone numbers from notifications. Worryingly, there were no security checks to pay someone new, change an email address or edit the details of a payee.

The TSB app scored second lowest and was criticised for still asking basic security questions such as ‘name your favourite food’ to recover login details. It also failed to block insecure passwords and only requires a minimum of six characters - while longer passwords are more secure. 

TSB also lost points for using SMS-based security, not sending alerts when sensitive account changes were made and including phone numbers in new-payee notifications. TSB said it is reviewing alerts and password complexity as part of its digital strategy. The bank told Which? it has now removed phone numbers from all SMS alerts, except for one which is due to be removed in February. 

You can find the full list of the most and least secure banking apps on the Which? Website. 

Banking app security tips from the experts

Concerned? It’s understandable if you are. But it’s important to remember banking apps are still one of the more secure ways you can access your banking information. And there are several straightforward steps you can take to ensure your app is as secure as possible.

Amir Tarighat, digital privacy expert and CEO of cyber-security company Agency recommends fives steps you can take to keep your banking app secure: 

1. Turn on 2FA. Easy access to your accounts through mobile banking apps can take the headache of managing your finances. But with easy access comes increased risk. One of the best ways to secure your accounts is to enable two-factor or multi-factor authentication. Even if your device is lost, stolen, or otherwise compromised, turning on this additional security measure ensures that no one else will be able to log into your accounts.
2. Update your operating system. Make sure the operating systems and individual banking apps on your mobile devices are up to date. Most software updates are meant to address security vulnerabilities that leave the door open to hackers. If you're running on an out-of-date system, cybercriminals can access your devices to plant malware and steal your personal data, so you should routinely check for available updates.
3. Avoid WiFi hotspots. If your WiFi network isn’t secure, hackers can hijack your session and log in as you, leaving your accounts up for grabs. Using banking apps in hotels, bars, airports, or anywhere else with public WiFi could leave you vulnerable to cyberattacks, so wait until you’re connected to a network you trust to access your bank account.
4. Check your exposure. If you’re worried that your banking app has already been exposed, you can check which of your accounts might be compromised by using Agency’s free Dark Web Report. 
5. Brush up on the most common scams. Scammers are persistent, but they’re not terribly original. Research the most common scams that appear every year (misspelt URLs to fake sites, fake confirmation or delivery emails, gift card scams, and charity scams, just to name a few.) Recognizing the hallmarks of these scams will help you protect your financial information when banking online.

Biometric security checks, like fingerprints or face scans, can also turn the tables on any would-be hacker or scammer. Gus Tomlinson, Chief Product Officer at GBG, the digital identity expert says also recommends setting up biometric security checks

“Banking apps are designed to be secure but that doesn't mean that human error or fraudsters aren’t savvy enough to get through them. 

“The biggest vulnerability comes from the user’s device, which is why implementing things like biometric security checks is key, and not just for banking but all uses of money. 

“Another tip is to always have your phone linked to other devices. This means the moment you have lost it, or it has been stolen, it can be disabled. If this happens, make sure you inform your network provider and your bank so both can suspend your mobile banking immediately. “