The latest banking investigation from Which? reveals the best and worst banks for online security, exposing those lagging behind the rest of the industry.
Our tests were performed by independent security experts at Falanx Cyber, who rated the customer-facing security systems of the largest current account providers.
Although all 12 banks and building societies we looked at have systems working behind the scenes to detect fraud that we can’t test, our investigation identifies areas where we think providers could be doing more to keep you safe.
We approached providers with our findings to encourage tighter security.
Several have already made improvements. Barclays, for example, told us it will stop including links and phone numbers in customer alerts to better protect them against scam attempts. And Starling has developed a weak password blacklist after we found that we could choose ‘password1’.
Best and worst banks for online security
NatWest was the top-scoring provider, having tightened security across the board since our last tests. A card reader or one-time password is required for login (unless you’re using a trusted device), changing your password and setting up new payees. Our findings also apply to parent bank Royal Bank of Scotland.
TSB on the other hand, was at the bottom of our table. It was the only bank that didn’t log us out when we logged in from two different computers, which we think should be disabled. It’s also missing security headers that protect against certain cyberattacks.
For a full breakdown of the scores and to find out what we test and why, read the Which? guide to online banking security.
|NatWest (also Royal Bank of Scotland)||83%|
|Lloyds Bank (also Bank of Scotland and Halifax)||74%|
|Yorkshire Bank (also Clydesdale Bank)||68%|
|The Co-operative Bank||56%|
What is two-factor authentication (2FA) and why it it important?
Which? has long called for banks to support two-factor authentication (2FA) login.
Gmail, Microsoft Hotmail and Twitter all offer some form of 2FA, which involves multiple ID checks, such as providing a username and a password plus a single-use passcode generated on a card reader or mobile phone.
You might expect that bank accounts should be at least as secure as an email or social media account but our research has found that some banks – namely Metro Bank, Santander and TSB – are still lagging behind on this front.
By March 2020, banks will be forced to introduce 2FA for every login, under new ‘strong customer authentication’ regulations.
We want providers to prioritise this essential security measure well before this deadline.
Barclays to remove phone numbers and URLs from customer alerts
We want banks to send notifications when details are altered to alert you to a potential breach. However, we marked them down in our tests if these messages included a phone number or link to a login page.
This is because scammers can replicate texts and emails to trick you into calling them or entering your details on a fake website. If banks never included phone numbers or website links in their communications, it would make scam attempts easier to spot.
We found that Barclays, First Direct, Lloyds, Nationwide, Metro Bank and the Co-operative Bank all included phone numbers in texts.
Since our test, Barclays says it has introduced a new policy banning the use of phone numbers and URLs in any customer alerts. We want other banks to follow suit and will continue to penalise them if they don’t.
- Find out more: how scammers are exploiting new online security checks
Mobile banking app security
For the first time, we also asked cyber-security experts to look at front-end security for mobile banking apps. They identified several areas for improvement.
Lloyds and TSB both ask app-users for the same memorable codes used for desktop login – our experts think it would be safer to ask for app-specific data. Barclays, NatWest and Yorkshire Bank made it too easy to pay anyone new, although NatWest has a maximum £750 limit. Barclays also let us change address and add a new payee with only a few basic card details, but it told us it’s looking at other options.
Monzo is the only bank that asks you to log in periodically, not every time. If someone stole your phone they could view your account without having to authenticate. Actions that would compromise money or details can only be performed by entering the passcode, however, criminals often refer to recent transactions as part of impersonation scams.
We’re also concerned that Monzo uses the card Pin as the passcode – the only bank to do so. Falanx prefers a minimum six-digit passcode for apps. Like Monzo, Metro Bank and Starling require only four digits, but these are different to the card Pin.