Three UK banks are failing to prevent the possible theft of online customers' identity, an online security company has warned.
First Direct says it is improving its web site security this week
Heise Security says they have failed to make their banking websites more secure against "phishing" attacks.
In September, Heise showed how the sites of six banks could be "spoofed" so that criminals could steal details of their users' identities.
Cahoot, Bank of Scotland and First Direct say they are fixing the problem.
Heise first revealed the potential problems in September.
It showed that it was possible for a fake or spoofed page to be inserted onto the web sites of six online banks, with no chance of ordinary customers being able to detect that anything was wrong.
"These security issues have been known for years," said Mr Henning.
"They should have been tied up a long time ago."
The flaws could have lead to customers typing in their security details which would then be collected by the fraudsters.
Since then the Bank of Ireland has changed its site so this can no longer happen, and so has LINK, the cash machine network firm.
NatWest has also taken some steps.
First Direct promised to correct the problem very soon.
Rob Skinner, spokesman for First Direct - part of the HSBC group - said the bank had been testing its website security rigorously since the problem was first revealed.
"We are updating our security this week to address this matter," he said.
"There are no cases of anyone actually doing this."
A similar response has come from the other two banks pinpointed by the research, although they argued that the security risk was slight.
A Cahoot spokeswoman, Morag Fleming said: "Cahoot is aware of the theoretical risk of which Heise has reported.
"We have been working on eliminating any potential risk from spoof framing and will have a permanent fix in place shortly."
Jason Clarke, a spokesman for the Bank of Scotland, said: "We do not believe the issue identified constitutes a significant risk to the vast majority of customers.
"However, we have taken steps to resolve the matter in the interests of maintaining the highest levels of security.
"Work on the BoS site and should be complete no later than next week," he added.
Last month a report on fraud against online banks claimed that so-called "phishing" attacks had risen by 800% in the year to August.
It said that month there were 1,484 such incidents among UK online bank customers.
The report, published by Apacs, suggested that of the 15.7 million people who regularly operate their current, savings and credit card accounts over the internet, only half a million - nearly 4% - would respond to unsolicited emails asking them to divulge their security details.
But 35% recorded their password or security information in writing or somewhere near their computer.
And nearly two thirds never change their password, while one in five use the same password for other websites as well as their online bank accounts.