Telephone banking security can be hit and missHalifax and Santander fare badly in Which? test

23 May 2013

Telephone banking security can be hit and miss

Which? has found that not all phone banking security systems are equal in its latest investigation.

Which? made more than 100 calls to the UK's biggest banks to see how hard, or easy, it is to break through their telephone banking procedures. 

Not all of our results inspired great confidence. Halifax and Santander both scored lowest for their initial banking security procedures in our test scenario.

In one call to Santander we were asked for nine 'easy' pieces of information that would be relatively simple for someone else to get hold of, but nothing more challenging. In a call to Halifax, one of our callers told us it was 'frighteningly easy to get my balance with only card details and my date of birth'.

Which? telephone banking investigation

As part of the investigation callers made more than 100 calls to nine of the UK's biggest banks offering current accounts to see what would happen if someone else tried to access your account without your permission. The calls were made without using any previously set-up passwords, codes, or Pins. 

The aim was to get through to find out personal information, such as a balance or overdraft limit. This information could potentially be used by fraudsters to decide whether to target you and, if they did, arm them with more tools to do so.

We rated each call on how many questions we were asked and the security of those questions. Worryingly, in one in five calls we were only asked fairly simple questions to get through, with answers that could easily be found in a stolen bag or wallet. 

First Direct was the most impressive in our test scenario, asking callers the most high-grade security questions. In addition, each caller was asked to go somewhere they couldn't be overheard.

What the banks say

All the banks told Which? that different levels of security apply depending on what you want to do. Halifax told us: 'We take security extremely seriously and operate a consistent approach to telephone banking security across the Group's brands. Many of our measures are fundamentally non-visible, and would not be identified in a simple research exercise such as this'.

While Santander told Which? it has two levels of security and our test only looked at the first: 'Level one establishes a caller's identity by asking relatively straightforward questions. If a caller wants to complete a task that warrants added security, we will move to asking more challenging level two questions'.

How to stay safe

  • Bank in a safe place If you're banking over the phone, make sure you can't be overheard revealing personal information.
  • Don't write passwords down You should not write down any telephone banking security information in full. It's especially important to make sure you don't keep it alongside any of your other bank details. 
  • Don't reveal your details Never respond to an email or phone call asking for your telephone banking password, code or Pin, or any other personal information. This applies ever if a caller claims to be from your bank. 
  • Check your statements Look out for transactions you don't recognise and contact your bank if you spot anything strange. You should also contact your bank if you notice anything unusual relating to your account, for example not receiving a statement.  

More on this...