Santander and Halifax poor for online security Banks' online banking security falls short

19 August 2011

Banking security online

Two thirds of Which? members access their bank online every week. Are they safe?

A new Which? investigation has found problems with the online banking security offered by Britain's banks.

Online security concerns

Which? found significant security failings, with Santander and Halifax among the worst. Nationwide had the best overall level of security, despite only managing an overall score of 69%. Natwest/RBS and Barcalys performed well, while LLoyds TSB and First Direct were in the bottom half.  

Which? executive director Richard Lloyd says: 'With so many of us doing our banking online these days, it’s important that banks’ security is up to scratch. We were alarmed to find significant flaws in the online security of some of the UK's biggest banks.

'If you find you’ve been a victim of fraud, then contact your bank immediately. They can only refuse to refund you if they can prove you were negligent or you acted fraudulently. If your bank refuses a refund, you can take them to the Financial Ombudsman.'

What we were looking for

Which? experts assessed whether banks required you to use full or partial security details - full-typed details allow a keylogger to easily record your information - and whether its possible to browse to another site while staying logged in - which could put you at risk. 

Santander was the only bank in our test to ask for a full password, which could leave accounts vulnerable to keyloggers. The bank has since announced changes to its online banking servicey. Halifax scored poorly for logout security.You can read more about the trade-off between security and convenience on the Which? Conversation site, and this video gives some tips for keeping your details safe:


Please enable JavaScript to access this content.

Video transcript

Hello, I'm Martin Hocking and I'm here to help you protect yourself and your money against identity fraud. Now, losses from credit and debit card fraud reached £535 million in 2007. That was up 25% from on previous year. These statistics statistics are worrying, but there are some key steps you can take to decrease the chances of becoming a victim of the fraudsters.

You can start by examining your bank and credit card statements. carefully to check for any transactions that you don't recognize. Keep receipts from credit and debit card purchases, to help you do this. Report any fraudulent transactions you spot to your bank or card provider immediately. As fraudsters commit identity theft by stealing personal information about you.

To stop them getting their hands on your details from old documents, shred or rip up old bank statements , utility bills, receipts and anything showing your name and address before throwing it away. If you move house, you should also redirect your mail to your new address using Royal Mail's redirection service, for at least a year afterwards.

When you're picking passwords for financial websites,
avoid using information that could easily be
obtained by fraudsters
such as you mother's maiden name for example. A combination of letters and numbers is the most secure
form of password, but obviously choose something that you can
remember without having to write it down.

Now we are all doing a lot more shopping online these days. Very important to check the beginning of the address of a website is changing from the letters http to https when you're paying for something online and the image of a padlock lock will appear as well, usually at the top of the computer screen.

Check this happens when you're shopping on the internet to make sure your payment details are protected. You should also protect your computer with anti virus software and a firewall to prevent fraudsters accessing your hard drive. It is important to notify your bank or creditor provider as soon as possible, if your cards are stolen or have been lost.

You should also do this if you notice fraudulent or suspicious transactions on your statements. It's worth keeping a note of these relevant telephone numbers in you purse or wallet, it really takes the stress out of that situation. It means they're accessible even if you're away from home. Here's another one.

It sounds simple, but it's very important. Do not allow someone else to use your debit or credit card by giving them your PIN. This could be seen as acting without reasonable care by your bank, should any money be taken from you fraudulently and it couldn't make it that much harder to claim the money back.

For the same reason you should never record your pins or passwords in a way that would make accessible to fraudsters. And obviously never store them with your cards. The banking code says that you're not liable for more than £50 if your card is lost or stolen and then used fraudulently, but this does not apply if your bank can show that you acted without reasonable care.

And they would say writing your PIN down and sticking it in your wallet is not acting with reasonable care. Finally, if someone contacts you by phone or email or claiming to be from your bank or credit card company, don't give out any personal details without first making sure they are who they say they are for example, by phoning them back.

In reality, your bank will never ask you for your pin or password over the phone, they simply don't need that information. ones asking for it, they're almost certainly a fraudster.

They also checked whether additional security measures were in place for performing high-risk tasks, such as changing address and password details, and whether banks required users to enter their details in a special card reader which generated a one-off code. 

Top online security tips   

  • Regularly log in and check your statement for unusual transactions. If you spot anything unfamiliar immediately contact your bank. 
  • Avoid public computers for online banking, make sure your wifi-network is secure, and don't open emails from unknown sources as they may contain a virus 
  • Install the latest anti-virus and anti-spyware software, use an effective firewall, and ask your bank if they offer 'Rapport' software which can be used in addition to your usual software. 
  • Keep both your operating system (such as Windows) and your browser (such as Internet Explorer or Firefox) up to date and set your computer to install updates automatically. If you receive a suspicious email purporting to be from your bank forward it to 
  • Learn more about online banking security by reading our online guide to protecting your online ID and to safe online banking on our website.
pound coins

Which? Money when you need it

You can follow @WhichMoney on Twitter to keep up-to-date with our Best Rates and Recommended Provider product and service reviews.

Sign up for the latest money news, best rates and recommended providers in your newsletter every Friday.

Or for money-saving tips, and news of how what's going on in the world of finance affects you, join Melanie Dowding and James Daley for the Which? Money weekly money podcast

For daily consumer news, subscribe to the Which? news RSS feed here. And to find out how we work for you on money issues, visit our personal finance campaigns pages.