Major High Street banks have been told to “urgently address potential loopholes” in their mobile app and online security setups.

A report by consumer group Which? tested banking website and app security for login procedures, security ‘best practice’, account management and navigation and logout for 13 current account providers.

Named in particular were TSB, the Co-operative Bank and Lloyds. TSB was scored 54% for its mobile app security and 67% for its online security – the lowest and second-lowest scores respectively. Which? said the bank’s handling of sensitive data meant that it could be read by other apps running on the phone, while the app stores users’ credentials in a way which may make it more likely that other apps could access them.

Co-operative Bank was ranked bottom for online security, with a score of 61%, while its mobile app came second to last, with a score of 57%. Which? said the bank failed to require a two factor authentication login on a test laptop, and did not block customers from setting weak passwords.

Researchers could also log in from two different IP addresses at the same time without the older session being terminated.

Lloyds were marked down for not logging out website users after five minutes of inactivity, however the bank defended this, saying this makes transactions easier for vulnerable customers.

The three banks said fixes were due, that they are constantly reviewing and enhancing their security controls, and employ world-class experts in the cybersecurity field and continually invest to deliver the right balance of online security measures, customer experience and accessibility.

William Wright, CEO of Closed Door Security, said being able to access user credentials in the TSB app was a ‘red flag’.

He said: “Mobile apps are notoriously insecure, especially when they come from unknown developers, who sometimes build security weaknesses into them to spy on and collect data. This means these dangerous apps could also be accessing people’s confidential financial information, which puts users at serious risk.”

Ryan McConechy, CTO of Barrier Networks, said tha the research highlights that banks are not properly considering how the running of their websites, and apps could be exposing users to cyber risks.

“From failing to enforce the adoption of strong passwords to exposing customers to text alert scams, these are security weaknesses you would expect to see in small businesses, not world-leading banks,” he said.

“The banks must address them as a priority because customers need confidence that their bank is doing everything it can to keep their money safe. Banks should not have loopholes in their services that aid cybercriminals and expose their customers to unnecessary risks.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.