Banking security put to the test: could your bank be doing more to stop fraud?
The latest banking security investigation from Which? Money shows that too many banks are neglecting basic housekeeping, potentially leaving their customers at risk of fraud.
With cases of internet banking fraud in the UK up 97% to almost 42,000 in the first half of 2021, and losses hitting a record £108.9m, criminals are still managing to breach banks’ defences.
All of the apps and websites we tested are safe enough to use – and banks regularly test their systems for vulnerabilities – but we use our annual banking security investigation to hold the banking industry to the highest standards.
We were concerned to find that some banks aren’t using the latest protections for their websites, while others are still allowing customers to set insecure passwords. We also found a gulf between the best and worst mobile banking apps.
How we rated banks
Every bank and building society has behind-the-scenes security processes – it isn’t possible for us to test these legally, but with help from independent security experts 6point6, we’ve analysed the front-end security of 15 current account providers.
We rated them on four main criteria:
Our full table of results can be found in our guide to online and mobile banking security.
HSBC tops security rankings
HSBC came top in our online banking security tests with a score of 81%.
It was the only bank to score five stars in our analysis for both website encryption and account management. It was rated A+ for cipher strength because it supports the latest encryption standards. The more complicated this is, the harder it is for a cybercriminal to crack the code.
HSBC’s subsidiary First Direct has similar protections, but its score was dragged down because 6point6 identified an exposed subdomain (for example, computing.which.co.uk is a subdomain of which.co.uk). This could allow hackers to launch a brute force attack, though First Direct remedied this as soon as we reported it.
There were also issues with ‘session managment’ because we could log in to our test account from two different computer networks, and we stayed logged in when we switched to a different website, used the back button and refreshed the page. All sessions time out after five minutes of inactivity, but other banks ask you to log in again, which is more secure.
A spokesperson for HSBC UK and First Direct said: ‘We deploy advanced cybersecurity controls and identify and respond to threats in a timely manner to ensure a seamless customer experience. We take on board customer feedback and are constantly reviewing and enhancing security measures.’
How your bank checks it’s really you
All banks must now carry out extra checks known as ‘strong customer authentication’ to verify your identity. As part of these checks some banks send security codes by SMS, but we want them to stop doing so because messages can be hijacked by cybercriminals through Sim-swap attacks.
Lloyds, Metro, Nationwide, Santander, The Co-operative Bank and TSB all dropped points for this in our tests (though Santander and The Co-operative Bank told us that they’re looking to move away from SMS).
We were shocked to find that Triodos lets customers set insecure security words, including ‘password’, ‘1234567’ and ‘admin’. The risk is mitigated by a two-factor authentication at login (using its physical ‘Digipass’ device) but there is no excuse for a bank to allow such weak credentials.
Six banks (HSBC, NatWest, Santander, Starling, The Co-operative Bank, and Virgin Money) let you choose passwords that include your first name and/or surname. Santander told us this is being phased out and NatWest and Virgin Money said they might increase password limitations after our investigation.
Paying someone new should always require additional checks – in case a scammer has broken through the first layer of defence – but Virgin Money let us add and pay a new payee without stepping up security. Even worse, we could edit the account details of any existing payee. Virgin Money said this is ‘by design’, but no other bank permits this and we think it’s unnecessary.
Is your bank vulnerable to attacks?
We asked the experts at 6point6 to scan the internet for exposed bank subdomains, including those that should be restricted to ‘approved’ computers – for example, an internal website used by employees.
As with First Direct, they found vulnerable subdomains of both Metro Bank and Lloyds. Lloyds told us this is a legacy subdomain in the process of being decommissioned and ‘poses no security risk’. But 6point6 said it could be compromised and should be disabled.
Metro Bank – which received the lowest score for online banking security – was found to be missing two important security headers. Headers help strengthen security defences in web browsers.
It told us: ‘We take our customers’ security extremely seriously and have a range of safeguards in place across all channels to help defend them against fraud… we are continually evaluating and evolving our controls to prevent fraud.’
How mobile banking apps fared
First Direct was top for mobile banking security with a score of 77%, earning five stars for encryption and account management.
Monzo was the lowest-scoring app we tested by some margin. It’s the only provider that doesn’t ask you to log in every time. It told us this is a ‘conscious design decision to strike a balance between risk and customer experience’.
Although an attacker would need to pass extra security checks to perform any actions which carry a level of risk, we don’t agree that this is the right approach for a bank.
We also marked Monzo down for asking users to enter their debit card Pins to authenticate sensitive changes. While it does block three consecutive incorrect Pin attempts, after which it requires a selfie video and photo ID to proceed, we prefer banks to ask for app-specific passcodes.
Lloyds, Nationwide, Santander, and TSB also dropped points because online and mobile banking require the same login credentials.
The full investigation appeared in the January 2022 of Which? Money magazine. Try Which? Money to have our impartial, jargon-free insight delivered to your door every month.
