This Investigation into Online Bank Security has some Important Advice 

• Consumer organisation has had to pivot cover online bank security
• The latest report looks at the robustness of banking apps
• Golden rules tell what you can do to beat the scammers
• Scammers are also moving into… Stamps?

The British consumer organisation Which? Has been around since the 1950s. As its very name suggests, its primary functions for most of its first six decades were product testing – of the ‘what are the ten best washing machines on the high street’ variety – and advising shoppers on things like their right to refunds on faulty goods.

But just lately Which? has found itself concentrating more and more on fraud – such as online bank security – and teaching consumers how to beat it.

This development in itself tells us something striking about just how gigantic a problem scams have become for ordinary people. But I was also struck by something about their latest publication – and how it reveals the extraordinary range and variety of the problems that are out there now.

First though, a recap of its investigation into the online security standards of the biggest banks in the UK.

What the banks were doing wrong

Their investigative reporters looked at four key areas –

1. best security practices
2. log in protocols
3. account management
4. navigation and log out

And gave them each scores for robustness.

The good news was that overall the banks performed pretty well, though there were areas for concern. For instance TSB was found to be improperly handling sensitive data which meant that it could be read by other apps running on a user’s phone. Or Co-operative Bank was criticised for not demanding two-factor authentication when a user logged in from a new laptop for the first time. While Lloyds – despite generally performing well – was rapped for failing to log users out automatically when they had been idle for more than five minutes.

You can see the full details and – if you have one in the UK – check your own bank’s performance here:  best and worst banks for online and mobile security

But, for me, the most interesting part of their report was not the detailed micro criticisms of individual banks but their more general advice on staying safe when using online banking. Because this is the point at which so much fraud is committed: so many phishing scams, so many muggings, and so much online crime generally. It all occurs in relation to access to and transfers from a victim’s online bank account.

The six golden rules for online bank security

Here’s TMT ID’s take on their suggestions of how to protect yourself – these cannot be repeated enough:

1. Protect your mobile. As I’ve written before, losing your phone is as bad as losing your password. Have a PIN that is unique to your SIM. Install a find-your-phone function. Disable preview notifications so that, for example, an SMS-sent OTP won’t show up on a locked phone screen
2. Always keep your phone and your bank cards separate. I despair when I see people use their phones like a wallet with cards attached! When a thief has both in his hands his job is instantly much easier
3. Make sure your phone or other device is up-to-date on upgrades and has anti-virus protection
4. Choose unique rather than repeated passwords and make them complex. Use an app to store them if you are worried about forgetting – and keep access to that account completely secure
5. Don’t let your online social life be a weak point – so keep personal info out of the public domain. Don’t post your D.O.B. on your socials for example. Or your mother’s maiden name – or any of that verification stuff. And don’t accept friend requests or open messages from people you don’t know.
6. If you are suspicious that you may have been targeted, act quickly: contact your bank, check your transitions, and freeze your cards. It’s better to be inconvenienced than fleeced.

So that was the biggest take-home recently from Which’s pivot from consumer champion to consumer fraud protector. But there was another completely different story they also covered recently which made an intriguing contrast.

Digital…analogue – the scammers don’t care

And this was the surge in the circulation of counterfeit postal stamps. The sudden prevalence of millions of fake stamps came to light when ordinary people started getting fined for receiving post that hadn’t been paid for – despite having apparently legitimate stamps attached to them. This received a good deal of press coverage, I’m guessing because it was simply such a novelty scam.

But what I found intriguing about the episode was the stark contrast between this scam and warnings about online banking. Because what could be more non-digital, more analogue, more retro, than a traditional postage stamp? It’s at the very opposite end of the tech scale from logging into your bank account via your phone while on the dash. It’s positively old-fashioned.

But the fraudsters don’t care – they’re as happy to sell you a bunch of fake first-class stamps as they are to phish your personal details so they can hack your bank account. And – surprise, surprise – people who have been ripped off by fake stamps have often in the process been directed to fake websites designed to steal their personal data. Double bubble for the scammers. These guys really will rip you off in any way you can think of – and often in ways that won’t have occurred to you.

All of which means – as Which?’s recent output confirms – that the smart, contemporary consumer has to be in a state of constant awareness and suspicion on all fronts to avoid being ripped off.