Which? exposes online banking security flawsBest and worst banks for online security revealed

20 October 2016

Banks need to do more to keep customers safe

Many major banks have failed to adopt two-factor security steps that could safeguard their customers from online banking fraud, according to new Which? research.

Which? tested the customer-facing security of 11 banks and found more than half failed to conduct two-factor ID checks when customers logged into their accounts.

For the fourth year running, the Lloyds Banking Group - Lloyds, Halifax and Bank of Scotland – along with Santander and TSB have come bottom in our tests for overall online security.

To see how the 11 high street banks performed, view the full results of Which?’s online banking security test online.

Bank fraud is booming 

In 2014-2015, losses soared by 64% to £133.5m for online banking and 28% to £323.3m for phone banking. And yet many banks are still failing to introduce security steps that could better protect their customers from falling victim to scams.  

Two-factor authentication at login combines two different types of ID checks - typically something you know, such as a password or Pin, with something you have, such as a card reader or a mobile phone on which to generate or receive a single-use pass code.

All the banks conduct additional checks before money can be transferred. But if hackers can penetrate the first level of security at login they can access sensitive financial details which they can use to win their victims’ trust and trick them into transferring money voluntarily – a tactic used by scammers.

Scams are becoming more sophisticated

Alex Neill, managing director of Which? Home & Legal, said: 'The best banks in our test manage to use two-factor authentication without it being too onerous for their customers, so there’s no excuse for others to sacrifice security.

'Online banking is increasingly part of our daily lives and at the same time online scams are becoming more sophisticated. People can only do so much to protect themselves from fraud, it's time for banks to shoulder more of the responsibility and introduce extra protections to safeguard their customers.' 

Which? used its super-complaint powers to call on the financial regulator to investigate whether banks could do more to protect people who are tricked into transferring money to a fraudster.

Find out more: 10 tips to avoid phishing and identity theft - stay safe online with our guide

More on this...