Pressure on UK banking CISOs to address security flaws impacting consumers

CISOs in the UK banking industry have their work cut out to address key security inadequacies impacting consumers, three new pieces of research suggest. A study from consumer goods and services testing company Which? tested the customer-facing security systems of 13 leading UK banks, revealing that basic security flaws on websites and apps are putting consumers at increased risk of falling victim to fraud. Meanwhile, findings from Imperva discovered that Open Banking – now implemented by six of the largest UK banking providers – has contributed to making UK banks and financial services an increased target for cybercriminals. Upon this backdrop, data from NTT DATA UK&I highlighted a significant lack of trust among UK consumers, with the vast majority doubting Open Banking’s ability to keep their financial data secure.

UK’s biggest banks risk exposing consumers with insecure practices

Independent cybersecurity specialists Red Maple Technologies, on behalf of Which?, tested more than a dozen of the UK’s biggest banks across four key security categories from September to November 2022. These were login, navigation and logout, account management, and encryption for both online banking security and app security. Banks were marked down for things like not adequately blocking weak passwords, sending one-time passcodes or other sensitive information via text messages, and failing to log customers out after five minutes of inactivity, Red Maple Technologies wrote in a press release. “They also lost points for allowing access to accounts from multiple web browsers or IP addresses at the same time, without flagging this as a potential cyberattack, and for sending customers notifications that include a phone number or web link,” the firm added.

Of the 13 banks studied, Virgin Money got the lowest total security scores for both online (52%) and app (54%) banking, Red Maple Technologies stated. “Virgin Money’s poorest scores for online banking were in the navigation and logout and account management categories.” The bank received two stars out of five for both areas, as well as for the encryption on its app.

The research found six outdated Virgin Money web applications which had potential vulnerabilities, whilst the company did not adequately block insecure passwords and remove phone numbers from notifications. “Worryingly, there were no security checks to pay someone new, change an email address, or edit the details of a payee,” Red Maple Technologies wrote.

Nationwide scored the next lowest score (63%) for its online security, although it fared better in relation to its score for mobile app security (67%, seventh place). TSB placed third lowest for online security (66%) and second lowest for app security (57%). “It [TSB] still asks basic security questions such as ‘name your favourite food’ to recover login details,” Red Maple Technologies said. “It also failed to block insecure passwords and only requires six characters – banks should encourage much longer passwords.” TSB also lost points for using SMS-based security, not sending alerts when sensitive account changes were made, and including phone numbers in new-payee notifications, the firm added.

Starling came out on top for online banking security (82%), with its app also scoring well (80%). HSBC performed well too, placing closely behind Starling with a score of 80% for online banking while its app had the highest score of 82%.

Open Banking driving API security risks

Imperva threat research published last month stated that financial services companies were targeted by 28% of all cyberattacks on UK businesses over the course of 2022, driven by digital transformation and regulation such as Open Banking. Application Programming Interface (API) abuse, DDoS attacks, and bad bots were the three of the biggest cybersecurity challenges for the industry, Imperva wrote in a blog.

“Since 2018, Open Banking has required banks and other financial businesses to allow third-party providers access to customers’ banking data through APIs, dramatically increasing the amount of sensitive financial data they exchange,” Imperva added. Open Banking and digital transformation have significantly increased the number of APIs in use in the financial services industry.

The growing risk associated with API-related security threats should be particularly concerning for the financial services industry, as APIs are the invisible connective tissue that enables applications to share data and talk to each other, the firm claimed. “A common API-related security threat we track is API violations, which are calls that don’t align with the intended definition of the API,” it wrote. “Shadow APIs are APIs that are undocumented and not maintained by normal IT management and security processes. A shadow API presents a massive security risk when they’re not maintained and offer attackers a vector to access the rest of the network.” Attackers have increasingly targeted APIs as a pathway to the underlying infrastructure to exfiltrate sensitive information, with one in every 13 cyber incidents estimated to be related to API insecurity, Imperva stated.

UK consumers don’t trust Open Banking to keep data secure

UK consumers do not trust Open Banking to keep their financial data secure, according to new findings from NTT DATA UK&I. Of a representative sample of 1,000 UK respondents, 84% stated that they do not trust that Open Banking was safe, with consumers cautious about how their data is used by third-party providers. What’s more, 10% of those polled believe that Open Banking allows third parties to access their financial data without consent. Just 7% of respondents said that they think Open Banking makes finance more secure.

“Open Banking is undoubtedly a fantastic initiative. However, as our research shows, consumers are still not embracing open banking because they don’t fully trust it,” commented Andy Nelson, head of banking and financial markets at NTT DATA UK&I. “As an industry, we need to work together to provide the necessary education to earn consumers’ trust.”

CISOs face challenges in addressing key banking security issues

CISOs in the UK banking and financial services sector face several challenges in addressing some of the key the security issues highlighted above. “The sheer complexity of a traditional banks’ IT network often has legacy mainframes and minicomputers at the core of its infrastructure that run the main banking applications,” Rob Stemp, CEO of Red Maple Technologies, tells CSO. “With the advent of internet banking, UK banks have had to adapt quickly to bring traditionally in-branch services to the web and then to mobile applications.”

The mainframes and minicomputers are from several generations before the modern internet, and it has been difficult for banks to integrate legacy technology with this new world of internet banking services, he adds. “Now, banks are looking to embrace the cloud to move core services onto the hyperscalers. These seismic shifts in technology have left a lot of UK banks struggling to keep up. Modern internet/cloud first banks, as we have seen in the Which? report, were not encumbered with complex legacy infrastructure and were able to embrace modern web technologies from the outset. With the majority if not all the high street banks being predicted to close by 2027, the work of the CISO will be a busy one for the foreseeable future.”