Here's how all the major banks compare when it comes to online security features.
The number of people who bank online has risen dramatically in recent years.
According to figures from the Office for National Statistics in 2020, more than three quarters (76%) of people across the UK use the internet in order to bank, an enormous jump from the 30% found back in 2007.
It’s third only to email and finding goods and services in terms of our most common activities online, and has been pointed to as a driver in the decisions by banks across the country to start closing branches.
The numbers comfortable with banking online will likely only have increased since then as a result of the pandemic.
But there remain concerns over just how safe if it is to handle your banking matters on the move.
Now consumer site Which? has run the rule over the online banking systems served up by the nation’s big names to see just how safe they are to use.
What makes a secure online banking service?
Which? looked at a handful of important features when assessing the security served up by the online banking on offer.
The first feature is the login ‒ the information you need to enter in order to gain access to the account details.
A big selling point here is two-factor authentication, which is where having the username and password isn’t enough ‒ you’ll also need to enter some other form of single-use code that is generated on your connected device.
The simple fact is that setting a complicated password isn’t enough, and banks are being pushed towards beefing up the level of authentication needed in order to log into an account.
However, there are evidently still quite a few lagging behind on this front.
Another factor assessed by Which was the level of encryption, which is where the data is scrambled so that nobody other than you or your bank can read it.
It checked whether best-practice security headers were being utilised, and also whether there were any areas open to hackers.
Next up was account management and the sort of checks in place before you can add ‒ and start making payments to ‒ another account.
While banks were praised if they sent notifications to flag up any potentially suspicious activity on your account, they were marked down if these messages included a phone number or link to a login page, since that is so similar to the sort of model employed by scammers.
And finally Which? looked at the navigation and logouts from the account.
The bank’s score took a hit if they allowed you to log in from multiple browsers or computers at the same time, or if they permitted you to move backwards and forwards within the browser without needing to sign in again.
How the banks performed
Here’s how the banks tested by Which? shaped up in these various elements (scored out of five), the weighting of each of these categories, and their overall score, as a percentage.
|
Bank |
Login (30%) |
Encryption (40%) |
Account management (15%) |
Navigation and logout (15%) |
Overall test score |
|
HSBC |
4/5 |
5/5 |
5/5 |
4/5 |
81% |
|
NatWest/RBS |
3/5 |
5/5 |
4/5 |
5/5 |
75% |
|
Barclays |
4/5 |
5/5 |
4/5 |
2/5 |
73% |
|
Santander |
4/5 |
5/5 |
3/5 |
3/5 |
72% |
|
3/5 |
5/5 |
4/5 |
3/5 |
72% |
|
|
Lloyds/Halifax/Bank of Scotland |
4/5 |
4/5 |
5/5 |
3/5 |
69% |
|
Co-operative Bank |
3/5 |
5/5 |
4/5 |
2/5 |
69% |
|
Nationwide |
4/5 |
4/5 |
5/5 |
2/5 |
69% |
|
first direct |
4/5 |
4/5 |
5/5 |
2/5 |
67% |
|
Triodos Bank |
2/5 |
5/5 |
3/5 |
2/5 |
63% |
|
TSB |
3/5 |
4/5 |
2/5 |
4/5 |
59% |
|
Virgin Money |
4/5 |
3/5 |
2/5 |
3/5 |
56% |
|
Metro Bank |
2/5 |
4/5 |
3/5 |
2/5 |
53% |
HSBC stood out as the only bank to gain full marks for both encryption and account management and attracted praise for its cypher strength, which meets the highest encryption standards.
While first direct ‒ part of the HSBC family ‒ enjoys much of the same infrastructure, it was marked down when the tests identified an exposed subdomain (computing.which.co.uk) which could potentially be open to attack from hackers. This has now been fixed.
The setting of passwords also threw up some surprising results.
Triodos Bank for example was criticised for allowing users to set insecure passwords, like ‘password’ and ‘1234567’.
Other banks dropped points because they allow users to include their first or surname in a password, including HSBC, NatWest and Virgin Money.
Which? also investigated the mobile banking apps on offer to see how secure they are. First direct stood out from the crowd, amassing a score of 77%, picking up five stars for both encryption and account management.
By contrast, Monzo was the worst-performing banking app by some distance, as the only provider which does not require users to log in each time.
Monzo was also marked down because of its requirement for users to enter their PIN in order to authenticate certain changes, rather than calling for app-specific passcodes.
What do you want from your bank account?
There are a host of different reasons for picking a bank account, from the interest rate on offer for credit balances, to how it handles overdrafts.
But clearly putting at least some time into researching just how secure a bank’s online processes are is vitally important too.
There’s no point making the most of an account paying cashback on your bills if somebody else gets to enjoy the money rather than you!