Online banking security Online banking security: our research

How Which? tests online bank security

online banking security

Our latest test of online banking security involved 12 volunteers, each banking with a different bank or building society.  They logged in to their bank account using a computer we set up for the test, and performed a range of tasks. 

Our security experts assessed the banks' customer-facing security measures using the following methods:

  • observation – they watched our volunteers complete the set tasks and noted what security measures were in place
  • a keylogger (a device that criminals use to covertly record your keystrokes) to see how much log-in information could be captured
  • a proxy wthat recorded the data transmitted from the test computer to the banks' servers.  

Our experts then analysed how vulnerable our volunteers' security details were to attack.  

We weren't able to test how good banks are at spotting fraud and reimbursing customers – both of these play an important role in protecting your money when you bank online. 

Assessing banking website security

We looked at how good security was for each of the following:

  • login
  • browsing to another site
  • setting up a new payee and making a transfer
  • changing address
  • changing password
  • logging out.

We generated an overall weighted percentage score by scoring each factor out of five and applying a weighting according to the factor's importance.  

What we were looking for in our online banking test

Login 

  • Whether our volunteers had to enter full or partial security details (such as the first, third and fifth digits).
  • Whether our volunteers had to use a 'token' for login, such as a card reader that requires you to use your debit card and Pin to generate a one-off login code.
  • If our volunteers made a mistake entering their login details, whether the bank asked for the same parts of their login details during subsequent login attempts. This is more secure than asking for different parts of the login details.

Browsing to another site

  • Whether it was possible to browse to another site while logged in and then return to the online banking session.
  • Whether it was possible to use the back and forward buttons without being logged out.

High-risk tasks

  • Whether additional security measures, such as reconfirming login details or authentication using a chip-and-Pin card reader or mobile, were required for setting up a new payee, making a transfer, and changing address and password.

Logout security

  • Whether banks had good logout procedures including positive confirmation of logout and a list of transactions performed.
Which? works for you