Which? Reviews No advertising, no bias, no hidden agenda

Online banking security: Internet banking security: our research

Online banking security investigation

Barclays bank login screen

The Barclays site was judged as excellent by our expert

We recruited world-renowned internet security expert Peter Wood, head of First Base Technologies, to work with Which? banking expert Cathy Neal. Peter has helped major companies detect security vulnerabilities in their websites.

To assess each bank, we asked 10 volunteers to tell our security expert about the login, money transfer and change of address process used by their online bank, without revealing any of their personal details.

We were unable to assess back-office security measures known only to the banks. Therefore, we were unable to investigate how well each bank spots fraud and puts a stop to illegal transactions. We were also unable to find out whether your bank will always refund your money if you’ve been a victim of fraud.

In May 2009, we interviewed 1,038 members of the public online about their experiences of financial fraud.

Keylogging software

We focused our investigation on the customer-facing security measures: the login, money transfer and change of address process. It’s these measures that help determine how well banks protect you from one of the biggest threat to your online account – keyloggers. These computer viruses sit on your computer and track every keystroke with the aim of collecting your passwords.

Keylogging software is responsible for the level of online banking fraud more than doubling in 2008 – it soared to £52.5m, up from £22.6m in 2007, according to the UK Payments Administration (formerly APACS).

The UK Payments Administration, which represents banks, used the release of these figures in April 2009 as an opportunity to remind customers to have their computer’s firewall switched on and to make sure their anti-virus software is up to date. This is good advice. But we wanted to look at what the banks are doing to help outfox keyloggers.

Assessing banking websites' security

When assessing the banking websites' login process, we looked at the number of stages a bank uses to identify its customers. The more layers there are, the more likely fraudsters will be deterred from trying to access your account.

Our expert was on the lookout for accounts that ask for three to four pieces of information that is split across different screens. The information you enter should comprise of more than just a username and password.

He was also looking for:

  • Banks that ask for different ways of entering information, other than just typing in personal details in full. More secure methods include drop-down menus or typing part of your data. Keying in your full personal details makes it vulnerable to keyloggers.
  • The use of secure information that can’t easily be gleaned by using social engineering techniques, whereby people are manipulated into divulging confidential information.
  • An online bank account that doesn’t allow you to use the browser back button to get back into your account. This is especially important for shared computers.
  • An account that doesn’t allow you to log in from two computers at the same time. If a bank allows this, you wouldn’t know whether someone else was trying to access your account or already in it.
  • We were looking to see how banks cope with simple keyloggers rather than more complex ones that can take snapshots of your screen. This is because although some malicious software can conduct screen captures, it is not as reliable for fraudsters. In contrast a simple keylogger could capture the site URL and all the credentials (if all are typed in) completely automatically.