TSB and Lloyds Bank customers who have online banking warned over 'loophole'

Banks have been told to address online security "loopholes" that could leave customers at risk. Which? assessed the apps and websites of 13 current account providers in January and February 2024, with help from computer security experts.

TSB was scored 54% by Which? for its mobile app security and 67% for its online security - the lowest and second-lowest scores respectively. Which? said the bank's handling of sensitive data meant that it could be read by other apps running on the phone.

The consumer group raised concerns that the app stores users' credentials in a way which may make it more likely that other apps could access them. TSB told Which? that the matter was under review and a fix will be "considered in the future".

READ MORE Martin Lewis issues Barclaycard warning over 'worrying under-the-radar change'

TSB told Which?: "We have removed phone numbers from the vast majority of SMS alerts with this alert being the final in plan for updating to remove the phone number." TSB said: "We continue to strengthen the security of our internet and mobile banking while delivering a positive and convenient user experience for customers. That's reflected in our high app store ratings."

Which? ranked the Co-operative Bank bottom in its study for online security, with a score of 61%. The Co-operative Bank said: "The security of our customers' accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money.

"We are constantly reviewing and enhancing our security controls and we will be delivering a number of further improvements in 2024 to give our customers peace of mind that they can continue to bank safely and securely with us." A Lloyds Banking Group spokesperson said: "Helping to keep our customers' money and data safe is our priority and we have robust, multi-layer security across our online and mobile banking services to protect against potential cyber security threats.

"We employ world-class experts in the cyber-security field and continually invest to deliver the right balance of online security measures, customer experience and accessibility. Whilst written in the Payment Systems Regulator's regulation for secure customer authentication, Lloyds Banking Group has made the regulators aware that we would not enforce this on payments and logon given the considerations for vulnerable customers and businesses that may need longer than that period to complete the transaction.

"Logons from new devices are verified through secondary verification to customers' registered phone to establish the trust for any devices used. Given this, there are no customer untrusted devices."

Sam Richardson, deputy editor of Which? Money, said: "With many people increasingly banking online or on their phones, it's crucial that the banks we trust with our money have security protections that are up to scratch. While our investigation found no major security issues, there were some areas of concern that we think the banks in question need to urgently address, so that sophisticated scammers can't use loopholes to target innocent victims.

"With fraudsters still relentless in their pursuit of our money and a general election looming, the next government must make fighting fraud a national priority, with a fraud minister installed to work across multiple government departments."