IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Online banks servicing UK's SMBs found to have 'serious' security flaws

TSB and Virgin Money were both ranked bottom of a study examining security practices at leading UK banks

Some of the largest online banks in the UK have been found to have "worrying" security vulnerabilities in their products, leaving the UK businesses they service, and their customers, at risk of cyber attacks.

TSB and Virgin Money, both of which offer business current accounts for SMBs across the country, were found to have serious security issues that could put customers at risk, researchers said.

Researchers at Red Maple Technologies, working on behalf of Which?, raised “several concerns” over TSB security practices in particular, revealing that the bank still asks “basic security questions” to recover login details.

In addition, Red Maple said it found a potentially vulnerable subdomain and two outdated web applications. which could place customers at risk. However, the bank confirmed that the vulnerable subdomain will be removed.  

“[TSB] also lost points for using SMS-based security, not sending alerts when sensitive account changes were made and including phone numbers in new-payee notifications,” researchers said.  

A spokesperson for TSB told the consumer group that it is continuing to invest in online and mobile banking services and work with “globally-leading tech firms to deliver both security and accessibility” to customers.  

“TSB also tracks well across the industry on fraud prevention,” the spokesperson added.

The researchers examined the cyber defences of 13 current account providers to rate their online and mobile banking security. 

Virgin Money received the lowest score for online and app banking, according to Red Maple's analysis.  

The security firm found six outdated web applications, an exposed IP address, and a subdomain using an outdated version of TLS.

Of the six outdated web apps, three contained minor security vulnerabilities, researchers revealed. 

Small business security concerns 

Red Maple’s research on banking security comes amidst a period rife with escalating security risks for small businesses across the UK.  

Research from Close Brothers last year found that around half of UK-based SMBs have suffered a cyber attack, with 54% suffering a financial loss.

Ransomware attacks were highlighted as the most common attack method among SMBs, followed by phishing attacks.

Among those that suffered a cyber attack, the study found that two-thirds have been subjected to increased incidents in the weeks and months following.

Jasson Casey, CTO at Beyond Identity, said the research from Red Maple is concerning, and highlights vulnerabilities which are frequently targeted by threat actors.  

Related Resource

Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency

Whitepaper cover with title over a grey rectangle with header graphic and ESG logoFree Download

“It’s worrying to see this latest report from Which? which has marked banks down on multiple security measures, including failing to block weak passwords, sending one-time passcodes and sensitive data via SMS,” he said.  

“It’s about time these organisations woke up and fixed their major vulnerabilities. Threat actors are constantly taking advantage of outdated security measures that make it easy, and inexpensive to breach systems.” 

More broadly, the financial services sector has also been subjected to growing threats in recent years. Recent research from Imperva found that the volume of cyber threats directed towards the financial services and insurance industry (FSI) has grown rapidly over the course of 2022.  

Imperva’s research found that across 2022, more than a quarter of all cyber attacks (28%) hit FSI businesses, double that of the next most-targeted sector.  

Top-rated banks for security 

Red Maple research noted that a number of leading UK banks boast robust security measures and safety for users.  

Starling, which provides one of the UK’s most popular business current accounts, was ranked top for security.  

The rapidly-growing challenger bank was followed closely by HSBC, NatWest, and Lloyds – all of which had strong security measures to protect customers. 

Featured Resources

Defending against malware attacks starts here

The ultimate guide to building your malware defence strategy

Free Download

Datto SMB cyber security for MSPs report

A world of opportunity for MSPs

Free Download

The essential guide to preventing ransomware attacks

Vital tips and guidelines to protect your business using ZTNA and SSE

Free Download

Medium businesses: Fuelling the UK’s economic engine

A Connected Thinking report

Free Download

Most Popular

Getting the best value from your remote support software
Advertisement Feature

Getting the best value from your remote support software

13 Mar 2023
Microsoft set to block emails from unsupported Exchange servers

Microsoft set to block emails from unsupported Exchange servers

28 Mar 2023
What the UK can learn from the rest of the world when it comes to the shift to IP

What the UK can learn from the rest of the world when it comes to the shift to IP

20 Mar 2023