It has been reported that some UK banks are letting their customers down with poor authentication and web security issues, according to a consumer rights group. Which? once again teamed up with independent security consultants 6point6 to appraise the “front-end” security of 15 current account providers. It looked at four criteria: encryption and protection, login, account management and navigation.
<p>Many UK banks adopted TEXT/SMS based One-Time-Codes as a way to comply with the EU Payments Services Directive (PSD2). Unfortunately, this happened at a time that the cyber security industry was moving away from this type of multi-factor authentication due to SIM swapping and other weaknesses so, getting a poor security review is not really surprising. What is surprising is how many people think that is it ok to completely ignore password security and pin their hopes on multi-factor authentication when weak passwords are used as one of those factors. That effectively reduces multi-factor back down to single-factor.</p>
<p>Contrary to perception passwords can be used in a relatively secure way, so if they are used they should be kept secure – or they should not be used at all. The reality is that a “complex” password is not a “secure” password; just because it has a number and an exclamation mark doesn’t mean it hasn’t been phished, leaked online or reused 10,000 times, which is where the real-world problems arise. These risks can be mitigated but typically aren’t.</p>