TSB fails to fully roll out extra online security 10 months after deadline

TSB still hasn’t rolled out extra online banking security for all customers 10 months after deadline as it comes second-bottom for online security

  • The bank ranked second bottom for online security in new research by Which? 
  • This was largely due to its failure to roll out two-factor authentication 
  • Banks had been required by the regulator to introduce this by 14 March 2020 but it has still yet to do so – and also relies on unsecured text message passcodes 

TSB is still yet to introduce a security measure for all online banking customers nearly a year on from a deadline set by regulators, an investigation has found, while it also relies on unsecure text message codes to allow customers access to their account.

The bank, which has touted its pledge to refund all victims of fraud, is leaving customers’ accounts open to attacks from cyber criminals by failing to fully introduce two-factor authentication on its online banking services, the consumer group Which? found.

This is despite the fact the Financial Conduct Authority asked banks to introduce two-factor authentication by 14 March last year, a deadline which had already been extended by six months, under rules known as Secure Customer Authorisation.

TSB came under fire for failing to roll out extra online banking security 10 months after the deadline set by regulators – although all mobile customers are now covered

The rules mean those logging into online or mobile banking have needed to enter a second form of authentication to protect their account, usually through a code sent to a mobile or landline phone, an authenticator app or through biometric identification like a fingerprint or facial scan.

They are designed to protect customers from having their bank account accessed by criminals. Such remote banking fraud cost victims £79.7million in the first half of 2020, with losses rising by a fifth, according to the latest figures from trade body UK Finance.

Internet banking fraud accounted for four-fifths of the money lost. 

The absence of two-factor authentication meant the bank finished second bottom after Tesco Bank in rankings compiled by Which? and the IT firm 6point6, with a score of 51 per cent. It scored two out of five when it came to login security, which accounted for 30 per cent of the overall score.

‘Our security tests have revealed a big gap between the best and worst providers when it comes to keeping people safe from the threat of having their account compromised’, Which? Magazine editor Harry Rose said.

‘The serious failings we have exposed with some providers reinforce the need for banks to up their game on scam protections, and for greater transparency and stronger standards on fraud reimbursement to be made mandatory for all banks and payment providers.’

The new rules require online and mobile banking logins to be authorised with a second layer of authentication - such as a text passcode or an authenticator app

The new rules require online and mobile banking logins to be authorised with a second layer of authentication – such as a text passcode or an authenticator app  

While the Financial Conduct Authority said banks facing further delays rolling out SCA due to coronavirus could apply for an extension on a case-by-case basis, it refused to comment to Which? on whether it would take action against TSB for the delays.

The bank said all mobile banking customers benefited from two-factor authentication, but that it was still in the process of being rolled out to users of online banking. 

It said it was staggering two-factor authentication enrolment in order to manage the impact on its customer services.

TSB's lack of login security saw it come second bottom in Which?'s rankings

TSB’s lack of login security saw it come second bottom in Which?’s rankings 

This is Money has also learned the bank primarily uses text message codes to authorise users’ logins, which is often seen as one of the least secure methods of providing passwords. 

It does also allow one-time passcodes to be sent to a work or home landline phone.

Guidance from the National Cyber Security Centre most recently updated in August states ‘text messages are not the most secure type of two-factor authentication’ and says authenticator apps ‘offer lots of advantages over text messages’.

Text messages are not the most secure type of two-factor authentication

National Cyber Security Centre, August 2020

Which? ranked banks’ logins out of five based on how easy it was to access accounts, providing top marks to those which required customers to use a card reader or a mobile banking app to login.

Meanwhile guidance published in November 2019, after SCA was originally supposed to be rolled out by Britain’s biggest banks, said text messages were ‘never intended to be used to transmit high risk content’ and featured ‘a number of inherent weaknesses’, and as a result alternatives like push notifications should be considered.

Which? added it viewed text message passcodes ‘as the least secure way to authenticate customers’.

The Financial Conduct Authority’s own guidance states banks are expected ‘to develop solutions that work for all groups of consumers’ and ‘may need to provide several different methods of authentication, including ones that do not rely on mobile phones’.

The bank said in a statement: ‘Providing customers with safe and secure banking is a priority and we continue to invest in strengthening online and mobile protection for customers. 

‘We are the only bank that offers a guarantee to refund all innocent victims of fraud – including those who lose money to online scams.’