It has been reported that some UK banks are letting their customers down with poor authentication and web security issues, according to a consumer rights group. Which? once again teamed up with independent security consultants 6point6 to appraise the “front-end” security of 15 current account providers. It looked at four criteria: encryption and protection, login, account management and navigation.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>Many UK banks adopted TEXT/SMS based One-Time-Codes as a way to comply with the EU Payments Services Directive (PSD2). Unfortunately, this happened at a time that the cyber security industry was moving away from this type of multi-factor authentication due to SIM swapping and other weaknesses so, getting a poor security review is not really surprising. What is surprising is how many people think that is it ok to completely ignore password security and pin their hopes on multi-factor authentication when weak passwords are used as one of those factors. That effectively reduces multi-factor back down to single-factor.</p>
<p>Contrary to perception passwords can be used in a relatively secure way, so if they are used they should be kept secure – or they should not be used at all. The reality is that a “complex” password is not a “secure” password; just because it has a number and an exclamation mark doesn’t mean it hasn’t been phished, leaked online or reused 10,000 times, which is where the real-world problems arise. These risks can be mitigated but typically aren’t.</p>