Best banks for internet banking security
In November 2018, we rated the customer-facing security of 12 leading online banks. Volunteers carried out a series of tasks, while a team of experts from cybersecurity firm SureCloud looked for weaknesses.
The table below shows how each bank fared for the main factors we tested, or you can skip straight to:
- Online banking security: FAQs
- 10 ways to protect yourself against fraud and scams
- What to do if you're a victim of bank fraud
Does the bank require you to use two-factor authentication to login?
Includes front-end security aspects of logging in, such as HTTPS and cipher strength.
Includes new payee set-up with small weight on password and address change
Navigation and logout
Includes using forward/back buttons, concurrent login, browsing away from site and confirmation of logout
|First Direct|| |
|Tesco Bank|| |
Our internet banking security tests
All providers have processes that aren’t visible in the type of testing we carried out – we can only analyse security features available to the customer – but our tests compared banks on the following:
Login: We checked how each bank identifies customers and how easy is it is to recover usernames or passwords.
Encryption: Encrypted data is scrambled so that only you and your bank can read it as it’s transmitted across the internet. The more complicated the cipher strength, the harder it is for a cybercriminal to crack the code, so we checked that a secure level of encryption was used. We also noted where best-practice security headers are in place. These protect web applications from a wide range of attacks and enforce a secure connection.
Account management: We marked banks down if they let us set up new payees or change passwords and addresses with no additional checks. If a criminal hacks into your account, it shouldn’t be easy for them to transfer money or get hold of a new debit card.
Navigation and logout: You should only be able to log in to your bank from one computer at a time, and hitting the logout button should instantly close your session. A two-stage logout process, where customers are asked to confirm that they wish to exit from online banking, could put customers at risk of unwittingly walking away from a computer while still logged in.
Why is two-factor authentication (2FA) important?
We’ve long called for banks to support two-factor authentication (2FA) login.
We were disappointed that The Co-operative Bank, Clydesdale and Yorkshire Bank, Lloyds Bank (along with Bank of Scotland and Halifax, part of Lloyds Banking Group), Metro Bank, NatWest and RBS, Santander and TSB are yet to adopt two-factor authentication, also known as 2FA, at login, despite having the technology to do so.
More payment providers are likely to adopt 2FA ahead of new ‘strong customer authentication’ regulations, due to be introduced from September 2019.
Passwords alone are no longer good enough, as weak login details can be easily guessed or gleaned from social media sites.
So, 2FA combines two steps to identify account holders – often something you know, such as a password or Pin, plus something you have, such as a card reader or mobile phone, which generates a single-use passcode.
It may seem heavy-handed to force customers to use a second device.
But if a hacker was able to penetrate the first layer of defence, they would have access to much more sensitive details, such as payment history and card numbers, which could make any subsequent scam attempts more convincing.
Most of our top scorers offer a fall-back method, where customers can log in with only their username and memorable information. However, they only gain access to a limited version of the site, which triggers extra checks for high-risk activities, such as setting up a new payee or changing contact details.
Is mobile banking safe?
The biggest threat to banking security comes from using a compromised device. And this applies whether you’re using a computer or a smartphone.
Although phones are more easily lost or stolen, apps are in some ways safer than using a computer to log in to your bank account.
This is because apps in the official app stores are vetted by Apple and Google, whereas PCs can run software from any source.
It's also more difficult to plant a keylogger in an Android or iOS device (software used to track every key you press and potentially steal usernames and passwords).
Smartphones can also be located, locked and even wiped of data remotely if they are lost or stolen (by registering for Google ‘Find My Device’ and Apple ‘Find My iPhone’).
Of course mobile banking isn’t risk-free – fake apps can turn up in app stores and malware does exist that specifically targets mobile phones.
Also, some banking apps are less restrictive than others. For example, all but two apps in our test (HSBC and Nationwide) let you transfer money to new payees, with limits ranging from £250 through to £30,000.
Most banks let customers use fingerprint ID to log in (only Co-op, HSBC and Santander prevent this) though it is safer to identify yourself using a password or passcode, as well as your fingerprint or voice.
Take our fraud risk quiz
Criminals are constantly inventing new ways to try to get their hands on your money.
Phishing emails are sent by criminals posing as genuine companies such as a bank or HMRC. Clicking on a link takes you to a fake website where fraudsters steal financial or personal details.
Or, the link might install malware on your computer as another means to capture details. Thieves can steal your password by tricking you into installing a program on your computer that secretly records your password when you type.
Telephone fraud, or vishing, is particularly sneaky. Fraudsters call up pretending to be the police or your bank’s fraud department and warn you that your account has been compromised to trick you into revealing your full password, or persuade you to move your money somewhere ‘safe’.
Some tell you to call the genuine number for your bank to ‘verify’ the call, then play a dialling tone while they stay on the line, before posing as your bank and conning you into giving them sensitive information.
Remember, your bank would never ask for your full Pin or passwords on the phone or via email, and they would never ask you to authorise a transfer of money to a new account.
1. Take your time
Treat unsolicited phone calls, letters, emails and texts with caution.
Fraudsters use pressure tactics to persuade you to share personal and financial details so don’t let anyone rush you and never share your Pin or online passwords (your bank will never ask for these in full).
2. Use a phone number you trust
If you’re in any doubt as to who’s calling, hang up. Make sure the line is clear, and then call the organisation on a phone number you trust, such as the one on the back of your payment card.
3. Use antivirus software
Make sure your computer or laptop is protected with a good security software program and antivirus software. Keep them all, along with your browser, up to date.
Visit our guide to choosing antivirus software so you can find the best package to keep you safe.
4. Create strong passwords
Different banks have different security measures for online banking but if you have to set up a password, make sure it is a mixture of letters and numbers and is different from an email password.
Don't write your passwords down in full or share them with anyone. Find out how to create the perfect password.
5. Use a secure network
If you have a wireless network at home, activate the security settings on your router to prevent others from accessing it. Avoid accessing your bank account from a public computer or unsecured wireless network.
If you do use a public computer, never leave it unattended and always log out properly when you've finished your banking session.
6. Be wary of links
Avoid clicking links and downloading attachments from emails and texts.
Type web addresses into the address bar of your browser manually instead.
7. Browse safely
Look for a padlock symbol in or next to the address bar in your browser and that the web address changes from starting with 'http' to 'https'.
This doesn't guarantee a site can be trusted, but it does mean the website is encrypted, so no one else but that website can read any card details or passwords you enter.
Some sites have an extended validation (EV) certificate, shown as a green padlock alongside the company name, also in green. Again, it’s not perfect, but it requires the company to undergo more rigorous checks.
8. Remove personal info from social media
Don't leave your email address, date of birth, or phone number on sites such as Facebook and Twitter – it increases your risk of identity theft. Only accept friend requests from people you know.
Someone posing as an interesting person asking to become your friend may actually be an ID thief.
Check your privacy settings carefully and make sure only people you trust can view your profile.
9. Scan your statements
Regularly check your bank account and credit card statements for suspicious transactions.
If you spot something unfamiliar, report it to your bank or card provider as soon as you can.
10. Use ATMs inside the bank
Try to shield your Pin in case there are cameras fitted by criminals above the keypad. Or, stick to in-branch machines, which are less likely to have been tampered with than one on the high street.
Check your account online regularly to spot any irregularities and contact your bank as soon as possible if you think you've been a victim of fraud.
Your bank must refund unauthorised transactions and restore your account to the state it would have been in had the transaction not be made unless it can prove that you've acted fraudulently or been grossly negligent.
They can't refuse to refund you based on a hunch – they must investigate properly – but banks don't always get this right. Which? Money has obtained exclusive data from the Financial Ombudsman Service (FOS) revealing the card providers handling fraud claims poorly.
Know your rights: Find out what to do if you have given a fraudster your bank details.
Which? campaigns for scam victims to be reimbursed
Sadly, it can be difficult to get a refund if you've been tricked into transferring money.
For example, if a fraudster called up, posing as your bank's fraud department, and convinced you to move your money into a new account (by pretending yours had been compromised) your bank may not be liable to cover losses because you authorised the payment.
Victims of bank transfer scams can lose eye-watering sums so in 2016 we submitted a super-complaint on bank transfer scams to the financial regulator, demanding banks do more to protect customers who are tricked into sending money to fraudsters.
Thanks to our campaigning, a new voluntary code promising refunds for victims of authorised push payment (APP) scams came into effect in May 2019. Most major banks have signed up to the code, but a few are yet to do so.
Read more about the new scam refunds code and find out if your bank has signed up.