No advertising, no bias, no hidden agenda

Online banking security risks revealedWhich? Computing exposes big differences in banks

27 August 2009

computer banking

Some of Britain’s biggest banks appear to be leaving their customers’ online bank accounts vulnerable to identity fraud because of poor security, says Which? Computing.

Online bank accounts at Abbey and Halifax have weaker visible security measures in place than some of their rivals, while Barclays’ security is excellent, say Which? Computing experts.

Halifax has one of the least secure log-in procedures of the ten online banks we looked at. It asks for three pieces of information to confirm a customer’s identity. As each entry is typed in full, this makes the information vulnerable to a simple keylogger, a virus that sits on a computer and tracks every keystroke with the aim of collecting passwords.

Online fraud

Keylogging software is blamed for online banking fraud more than doubling in 2008. It soared to £52.5m last year, up from £22.6m in 2007 according to the UK Payments Administration.

In contrast, Barclays and Lloyds TSB ask customers to use drop-down menus. Simply using menus rather than the keyboard stops keyloggers from quickly capturing passwords. Barclays customers who forget their PINsentry device (a handheld device that randomly generates new codes) must enter a five-digit passcode and two characters from a memorable word.

Browsing to another site can be unsafe with some accounts. Customers of Abbey, Alliance & Leicester, HSBC and Halifax are not immediately logged out if they browse, which means someone else could take over the session, leaving accounts vulnerable if accessed on a shared computer.

Money transfers

Which? Computing also found significant differences in how well money transfers appear to be protected. Abbey, First Direct, Halifax and HSBC have no visible security controls for money transfers, so if a banking session is hijacked, a criminal can enter the amount they want to.

Which? Computing Editor Sarah Kidner says: 'There are surprisingly big differences between big banks’ visible online security systems. Some simple measures, like the use of drop-down menus, could improve safety considerably. The banks may say it’s the hidden security measures that count, but to have real confidence in an online account, customers need to see security in place.'

The visible security measures rated

Barclays: Excellent.
First Direct, Lloyds TSB, Nationwide, NatWest, RBS: Good.
Alliance & Leicester, HSBC: Average.
Abbey, Halifax: Poor.

For more, read our guide and tips to staying safe when banking online 

Get involved with Which? using Twitter, email and RSS

Tech email screenshot-Dell laptop

If you'd like news via RSS subscribe to the Which? news RSS feed. If you have an older web browser you may need to copy and paste http://www.which.co.uk/feeds/reviews/news.xml into your newsreader. More details on RSS news feeds.

On Twitter you can follow WhichTech for regular tech tweets.

Get email updates - keep your finger on the pulse of digital technology with the weekly email from the Which? Technology team

Every Tuesday we'll send you the latest news and reviews of MP3 players, mobile phones, cameras, high-definition TVs and other gadgets. 

It's packed with the latest product launches, First Look reviews, expert advice and some incredible deals - can you afford not to be the first to find out?