The banks with the best and worst online security revealed - see how HSBC, Virgin Money & TSB rank
and live on Freeview channel 276
The banks with the best online and app security have been revealed as research has found some bank chains miss basic protections to keep your money safe. If you bank with one of the major UK outlets you probably think your hard-earned cash is secure.
However, research carried out by Which? looked at the defences of 13 current account providers, to rate their online and mobile banking security. Worryingly, their investigation found several banks missing basic online and app protections which could help fraudsters access your account.
Although Which? couldn’t test the bank’s behind-the-scenes security system, they assessed their online and mobile banking security across four key categories: login; encryption; account management; and navigation and logout.
Banks were marked down for not adequately blocking weak passwords and falling back on SMS-based security, which is vulnerable to Sim-swap attacks. Nationwide, NatWest, Santander, The Co-operative Bank and TSB all dropped points in this year’s analysis for using SMS to verify customers at login.
Which? also delved into the software used by banks and tested if they have best-practice security headers that help keep your web browser security and block threats such as clickjacking. Bank websites and apps were also tested to see if they had websites or subdomains that shouldn’t be accessible on the internet as this could potentially allow attackers to exploit unsolved security issues.
Starling: Online 82%, App 80%
The research found that Starling came out on top for online banking, although its mobile app is key to security – it’s used to authorise online logins and provides instant alerts of any sensitive activity.
Starling account changes can only be made from a device that has been through stringent checks and requires a ‘selfie video’ that matches your existing identification videos and documents.
HSBC: Online 80%, App 82%
The top scorer for online banking security last year, HSBC has performed well again this year. Unlike its subsidiary, First Direct, HSBC has ditched weak security questions for recovering login data, and you no longer need a password to log in to the website. Instead, you have a username and an OTP generated via the Secure Key device on the HSBC app.
TSB: Online 66%, App 57%
Which? was concerned as TSB still asks basic security questions, such as ‘name your favourite food’, to recover login details. TSB also failed to block insecure passwords and only requires six characters – banks should encourage longer phrases.
A potentially vulnerable subdomain was also found (the bank said this will be removed in 2023) and two outdated web applications. TSB told Which? it uses industry-standard software to detect analysis tools but didn’t appear to notice Which? while it was carrying out its research.
A spokesperson for TSB, said: “We continue to invest in our online and mobile services – and work with globally-leading tech firms to deliver both security and accessibility to our customers. TSB also tracks well across the industry on fraud prevention and we are the only bank that protects its customers with a guarantee to return their money should they ever fall victim to fraud.”
Virgin Money: Online 52%, App 54%
Virgin Money got the lowest scores for online and app banking. Six outdated web applications were found (the bank noted minor vulnerabilities on three and said these will be corrected), an exposed IP address – which is under review – and a subdomain using an outdated version of TLS which is also being addressed by the bank.
The app didn’t appear to detect Which? ‘s analysis tool or a rooted phone, although the bank said it uses internal controls to protect customers.
There were also no security checks to pay someone new, change an email address or edit the details of a payee, though it does send notifications for changes to personal details and passwords.
A spokesperson for Virgin Money said: “The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls. A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts.”
Five tips to help you bank safely online
Here’s how you can stop criminals in their tracks, say Which?
1. Don’t click on links
If you receive unexpected emails, texts, WhatsApp or any other type of message, don’t click on the hyperlinks they contain.
Fraudsters posing as your bank might try to steal sensitive data or trick you into sending money, going as far as creating fake websites to impersonate banks and other firms.
Don’t download attachments or call phone numbers either. If you need to get in touch with your bank, call on a trusted number, such as the one on your debit card.
2. Use up-to-date security software
This means downloading antivirus software on your computer, phone and any other devices you have. It’s also important to download and install the latest updates for the device itself. Updates contain security patches for new vulnerabilities, so don’t use an out-of-date device.
3. Protect your mobile
Go into the settings to ensure your phone auto-locks after a short period of inactivity. While you’re in there, disable lock screen notifications, to prevent criminals from seeing incoming texts, which could include bank codes for accessing your account.
4. Check your privacy settings on social media
Remove any personal information such as your email, date of birth and phone number – all of which can be used by criminals to steal your identity or impersonate your bank. Only accept friend requests from people you know.
5. Replace default passwords on your home router
This will prevent anyone else from accessing it. You should also avoid banking on unsecured wireless networks or public computers. If you do use a public computer, never leave it unattended and always log out when you’re finished.