Banks should deliver the very highest standards in cybersecurity but we've found some providers are being left behind.
With help from a team of independent security experts at Red Maple Technologies, we looked for potential holes in the defences of 13 current account providers, to rate their online and mobile banking security.
Hacking into a bank account is no mean feat. Although millions of us bank online, just 29,102 cases of remote banking fraud were recorded in the first six months of last year, which includes victims tricked into handing over login details.
However, our investigation found several banks missing basic online and app protections. Read on to see which banks excelled and which caused us concerns.
Although all banks and building societies have behind-the-scenes systems that we couldn’t test, we assessed their online and mobile banking security across four key categories: login; encryption; account management; and navigation and logout.
Banks were marked down for not adequately blocking weak passwords and falling back on SMS-based security, which is vulnerable to Sim-swap attacks. Nationwide, NatWest, Santander, The Co-operative Bank and TSB all dropped points in this year's analysis for using SMS to verify customers at login.
We delved into the software used by banks and tested if they have best-practice security headers that help keep your web browser secure and block threats such as clickjacking.
We looked at whether bank websites and apps support outdated versions of Transport Layer Security (TLS) or use weak ciphers. And we searched for website domains or subdomains that shouldn’t be accessible on the internet or that use outdated software, as this can potentially allow attackers to exploit unsolved security issues.
Starling came out top for online banking, although its (also high-scoring) mobile app is key to security – it's used to authorise online logins and provides instant alerts of any sensitive activity.
Account changes can only be made from a device that has been through stringent checks and requires a ‘selfie video’ that matches your existing identification videos and documents, although we would prefer Starling to send notifications when email addresses and phone numbers are changed.
You can ‘untrust’ devices via Starling’s app at any time. The bank told us it uses industry-standard methods to detect rooted (ie more vulnerable) devices, but we were able to bypass these protections in our test.
We also think the passcode should be longer, as it’s only four digits, whereas many banks require at least six. And while Starling does check for common passwords, it didn’t stop us using a pattern or sequence of numbers.
Starling is also a Which? Recommended Provider of current accounts.
Our top scorer for online banking security last year, HSBC has performed excellently again this year.
Unlike its subsidiary, First Direct, HSBC has ditched weak security questions for recovering login data, and you no longer need a password to log in to the website. Instead, you have a username and an OTP generated via the Secure Key device on the HSBC app.
HSBC supports the latest encryption standards for both its app and website although, like First Direct, it's missing the content security policy header. Red Maple also highlighted an insecure HSBC Student website and two web applications that shouldn’t be exposed online.
Join us on our weekly audio show for the latest money news and personal finance hacks to help make you better off.
Listen nowWe had several concerns when it came to TSB. It still asks basic security questions, such as ‘name your favourite food’, to recover login details.
TSB also failed to block insecure passwords and only requires six characters – banks should encourage longer phrases.
Red Maple found a potentially vulnerable subdomain (the bank said this will be removed in 2023) and two outdated web applications. TSB told us it uses industry-standard software to detect analysis tools, but its app didn’t exit – a requirement to get a top score – when we used ours.
It also lost points for using SMS-based security, not sending alerts when sensitive account changes were made and including phone numbers in new-payee notifications.
TSB is also reviewing alerts and password complexity as part of its digital strategy. Following our research, it removed phone numbers from all SMS alerts, except for one which is due to be removed this month.
A spokesperson for TSB, said: 'We continue to invest in our online and mobile services – and work with globally-leading tech firms to deliver both security and accessibility to our customers. TSB also tracks well across the industry on fraud prevention and we are the only bank that protects its customers with a guarantee to return their money should they ever fall victim to fraud.'
Virgin Money got the lowest scores for online and app banking.
Red Maple found six outdated web applications (the bank noted minor vulnerabilities on three and said these will be corrected), an exposed IP address – which is under review – and a subdomain using a outdated version of TLS (we were told this should be addressed in early 2023).
The app didn’t appear to detect our analysis tool or a rooted phone, although the bank said it uses internal controls to protect customers.
We want it to block insecure passwords and remove phone numbers in notifications; Virgin Money said both are an ‘agreed position that balances security with customer experience’.
Unusually, there were no security checks to pay someone new, change an email address or edit the details of a payee, though it does send notifications for changes to personal details and passwords.
A spokesperson for Virgin Money said: ‘The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls. A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts.’
Ciphers Instructions for encrypting and decrypting data.
Clickjacking When a user is tricked into clicking on unseen parts of a webpage.
Domain/subdomain Different parts of a website. For example, computing.which.co.uk is a subdomain of the which.co.uk domain.
IP address Used to identify computers when connected to a network or the internet.
Multi-factor authentication (MFA) Identity checks using at least two of three factors: ‘inherence’ (eg fingerprint, face or voice recognition); ‘possession’ (a device that you own); or ‘knowledge’ (your passwords, Pin, etc).
One-time passcode (OTP) Unique, temporary security code, often generated by a physical device such as a card reader or mobile app.
Security headers These protect against a range of cyberattacks by telling your browser how to behave when it communicates with the website.
Transport Layer Security (TLS) This is a digital stamp of approval that assures communication is scrambled so only you and your bank can read it.
Banks need to address vulnerabilities in their security – but their greatest vulnerability could be you.
Here's how you can stop criminals in their tracks:
If you receive unexpected emails, texts, WhatsApp or any other type of message, don't click on the hyperlinks they contain.
Criminals posing as your bank might try to steal sensitive data or trick you into sending money, going as far as creating fake websites to impersonate banks and other firms.
Don't download attachments or call phone numbers either. If you need to get in touch with your bank, call it on a trusted number, such as the one on your debit card.
This means downloading antivirus software on your computer, phone and any other devices you have.
It's also important to download and install the latest updates for the device itself. Updates contain security patches for new vulnerabilities, so don't use an out-of-date device.
Go into the settings to ensure your phone auto-locks after a short period of inactivity.
While you're in there, disable lock screen notifications, to prevent criminals seeing incoming texts, which could include bank codes for accessing your account.
You can also add a Pin to your Sim card, to prevent it being accessed.
Remove any personal information such as your email, date of birth and phone number – all of which can be used by criminals to steal your identity or impersonate your bank.
Only accept friend requests from people you know.
This will prevent anyone else accessing it. You should also avoid banking on unsecured wireless networks or public computers.
If you do use a public computer, never leave it unattended and always log out when you're finished.