Online banking security Compare online banking security
This article, Online banking security, was last updated on 15 September 2011 and is now out of date and held in our online archive for reference. Explore our latest Money articles.
Two thirds of Which? members access their bank online every week. But while many of us now take our bank’s online security for granted, our investigation revealed significant differences between the protection levels that each bank offers against computer fraud – with some of the biggest high street names ranking among the worst when it comes to protecting their customers' cash and details.
Online banking security rated
The table below shows how each bank performed for the main factors we tested. The more stars the better.
|Online banking security rated|
|Bank||Login error||Change address||Set up new payee||Change password||Browse to another site a||Logout security||Overall score|
|Norwich & Peterborough BS||35%|
Login error How well your details are protected against a keylogger if you are asked to re-enter your security details after making an initial error. Change of address The level of protection offered when you change address Set up new payeeWhether there is extra protection for setting up a new payee and how good that protection is Change password The level of protection provided when you change your password Browse to another site We rated banks excellent if they prevent you browsing to another site and log you out when you use the back and forward buttons Logout security Quality of logout protection including whether a list of your transactions is displayed Overall score An overall weighted percentage score for all the factors in our test
- With the exception of NatWest/RBS the same scores apply to the forward/back button test
- NatWest/RBS scores one star for the forward/back button test
- We tested this service in June 2011.Changes have been made since.
Banks rated 'good' for online security
Nationwide BS 69%
Verdict: Nationwide had the best website on test, with good login security and logout performance. It provides users with a card reader that's required for setting up a new payee and can be used for login, though this is optional.
A card reader is a hand-held device into which you insert you debit card and type your Pin. It provides an additional layer of security by allowing the bank to confirm that it's you who is signing on and authorising the transactions.
Card readers help prevent fraudsters:
- signing on and transferring money out of your account
- using a keylogger to record your personal details
- intercepting your transactions and making changes to them.
Nationwide has potentially excellent security for setting up new payees, but was let down by the ambiguity of instructions to users. The number generated by the card reader is derived from the account number you wish to pay, but there are no instructions to users explaining this. A fraudster could substitute their account number into the submission to the bank and the user could then unwittingly authorise the transaction to the wrong account. A quick fix would make this site even better.
Nationwide provides a free download of Rapport software (this provides additional security protection against malicious software and is designed to be used in addition to your usual firewall and anti-virus software).
Verdict: NatWest/RBS provides a card reader, but this isn't required for login. Login security was reasonable. It was let down because, rather than asking for the same parts of the Pin and password when a login error is made, it asks for different digits and letters, allowing a keylogger to capture more elements of the login details.
However, the security for password changes and for setting up and making a payment to a new payee were excellent. Address change security was good and users were unable to browse to another site while remaining logged in. Logout security was also reasonable. It provides users with a free download of Rapport software.
Verdict: Customers must use a card reader to get full access to online banking. The 'PinSentry' device generates a unique login code and provides excellent protection against keyloggers. But Barclays does have weak logout security and allows customers to browse to other sites and use the forward and back buttons without logging them out.
We like the fact, however, that customers can choose to log in to a basic version of the website without the PinSentry, giving access to less risky tasks such as balance and transaction checks.
The Co-operative bank 59%
Verdict: The Co-operative Bank offers a mixed bag when it comes to security. Login security was weak, but the new-payee security was excellent, requiring the use of a card reader to confirm the user's identity. Address change and password security were good too.
Along with First Direct and Smile, it stands out as one of a minority of brands that correctly handled both the forward/back and browse-away tests. However, it scored badly for logout security. It provides a free download of Rapport software.
Verdict: With two exceptions, HSBC security was very good. Like many of the others on test, it was weak on forward/back and browse-away tests but it also scored badly for address changes. Worryingly, it allows a change of address to be made online without asking for reconfirmation of login identity.This is slightly mitigated by the fact that HSBC is now rolling out its Secure Key device to all online users, but this still doesn't provide 100% protection.
The Secure Key is similar to a card reader in that it provides an additional layer of security, allowing HSBC to confirm that it's you who is signing on. But unlike a card reader, it works with just your Pin, meaning you don't need to insert your debit card. HSBC requires users who have been supplied with a Secure Key to use it for login.
HSBC provides users with a free download of Rapport software.
Clydesdale Bank 56%
Verdict: Clydesdale Bank is one of four banks on test that don't provide customers with a card reader or other such security device, making it weaker in this respect than some of the others. But of those that don't supply a security device, it was the most secure for login and setting up a new payee.
It suffers from forward/back and browse-away issues, and it doesn't provide transaction information on logout so you can't check that the transaction list is as you'd expect it to be. Clydesdale bank provides a free download of Rapport software.
Banks rated 'satisfactory' for online security
First Direct 54%
Verdict: First Direct, which doesn't provide customers with a card reader or other type of security device, provided an adequate login model but poor new-payee security, with no additional checks being made to confirm the user's identity when setting up a new payee and making a transfer.
Address and password changes, however, were well-handled. It was also one of the few banks to correctly handle the forward/back and browse-away tests. Logout security was adequate. First Direct provides its customers with a free download of Rapport software.
Lloyds TSB 54%
Verdict: Though better than its sister bank Halifax, the security measures in place are still below what you'd expect for such a big bank, meaning it just misses out on being in the 'good' category. Its login model is weaker than many others on test, and it was weak on logout security, too. But it has reasonable new-payment security using an automated phone call to the user to check their identity.
However, unless significant server or back-office protections are in place, this system could be considered relatively weak for a bank of its size.
Verdict: Unsurprisingly, Smile is similar to its parent brand, The Co-operative Bank. It scored badly for password and address changes, as it allows users to change these online without additional checks. As Smile is an internet bank, it makes sense that customers should be able to make these changes online, but we would have expected Smile to have required confirmatory re-login for these functions.
Like The Co-operative Bank, however, it does have excellent new-payee security, requiring a card reader to set up new payments. Smile offers a free download of Rapport software to its customers.
Banks rated 'poor' for online security
Verdict: Santander stands out as being the only provider to use fully typed login details, which can be easily captured by a keylogger. This is a big drawback and something we think should be changed.
Since we last tested, in 2009, it has introduced additional security for setting up a new payee, by way of an authorisation code sent to the user's mobile phone. This provides excellent protection but could be an inconvenience for users who aren't in an area with decent reception or who don't have a mobile. It provides a free download of Rapport software for its customers.
Verdict: For such a significant brand, security was surprisingly poor. Login security was weak – worse than Barclays' Basic access, which limits you to checking your balance and transactions and transferring money between your Barclays accounts. It was also poor for logout and it scored badly in the forward/back and browse-away tests. Payment security was relatively weak.
On the plus side, however, it scored highly for address changes, and reasonably well for password changes. It's one of the few brands not to require users to use a card reader or other similar security device for high-risk transactions.
Norwich & Peterborough BS 35%
Verdict: This was the smallest provider tested and its security was the weakest. It is one of only four brands that don't use any type of security device such as card reader. Login security is weak and, like NatWest/RBS, it asks for the different parts of the Pin and password when a login error is made, exposing it to keylogger risk. It scored badly for change of address and logout security and failed the forward/back and browse-away tests.