Which? puts online banking security on testSantander falls down compared to other major banks

25 September 2013

Online banking security test

NatWest/Royal Bank of Scotland (RBS) comes out on top while Santander scores the lowest, as Which? reveals the results of its latest online banking security test. 

With online banking fraud losses hitting £40 million last year according to Financial Fraud Action UK, it's more important than ever for banks to protect their customers. 

In our latest look at the customer-facing security protection put in place by 10 of the UK's biggest banks, we found a big difference between the scores of the best and worst performers, and some causes for concern. 

How did your bank fare?

  • NatWest/RBS - 76%
  • The Co-operative Bank - 72%
  • HSBC - 72%
  • Barclays - 71%
  • Norwich and Peterborough BS - 70%
  • Lloyds TSB - 69%
  • Nationwide BS - 69%
  • Smile - 68%
  • Halifax - 67%
  • Santander - 47%

First Direct was the only bank to score a dismal one star for the security when setting up a new payee and would have scored 46%. However, since our testing was carried out, Which? is pleased to hear it has made changes. First Direct told Which? it takes security 'very seriously' and is introducing a higher level of security. 

The best...

NatWest/Royal Bank of Scotland (RBS) security rated highest with an overall score of 76%. It required a card reader when we tried to carry out higher risk tasks, such as transferring money to a new payee or changing the password. 

It also locked us out of our account for 10 minutes when we tried to log on from two different IP addresses at once. This would deter a fraudster who may try and access your account while you're already logged in. 

... to the worst

Santander, meanwhile, scored the lowest - just 47% - getting lower ratings in a number of areas compared with the top performing banks. It fell down compared with other banks in terms of how it dealt with the security around the log out process. Which? has shared our concerns with Santander. 

Santander told us: 'Customer security is of the utmost importance to Santander, so we have taken on previous feedback from Which? and enhanced the visible and invisible layers of security in our systems. 

'This means when you log off, you are completely logged off and cannot get back in without re-entering the security details. While we ensure online banking is safe and secure, we also have to make sure its user-friendly as well, to strike the right balance'. However, Which? still has concerns and will continue to work with Santander.

What we were looking for

In July 2013, we asked one customer from each bank to log in to their current account using a test computer, and undertake a range of tasks. We rated each bank using seven different elements of the customer-facing security each used. 

We looked at login security, logout security, what security was in place for transferring money to a new payee. Which? also looked at if there was additional security in place when changing personal details online and whether the site allowed us to use the forward and back buttons on our browser. Encryption against threats and protection against specific attacks were also assessed. 

Which? worked with security experts Pen Test Partners, who specialise in testing the security of companies computer systems, to devise the test.

More on this...