Banks must lead the battle against online crime, yet the latest security test from Which? Money has revealed a big gap between the best and worst.
All providers have controls in place that we can’t detect and they must balance security measures with convenience to ensure customers enjoy a seamless experience. But with so much at stake, we want them to prioritise safety above all else.
Which? has long called for banks to use a second authentication factor at login (not just static data such as a username and password). This is now enforced under regulations known as strong customer authentication (SCA) yet we found that one bank – TSB – has failed to fully implement this crucial layer of defence.
When we reported this non-compliance to the Financial Conduct Authority (FCA), it told us it doesn’t comment on specific firms and would not confirm if TSB or any other firms have been granted an effective SCA extension in relation to online banking.
See the full online banking security table to check scores for 13 leading current account providers.
Tesco Bank worst for banking security
Tesco Bank has the lowest score of 46%.
Though it is no longer accepting new current account customers, existing users will be disappointed that it has slumped to the bottom of our table.
6point6 found multiple security headers missing (these protect against a range of cyberattacks, by telling your browser how to behave when it communicates with the website).
They also uncovered an internal staff website that was accessible from anywhere. This has since been closed so that only employees can access it but it should never have been visible to our testers as it can give scammers a way in.
Users can save a trusted device instead of entering a one-time passcode (OTP) at every login. This may be convenient, but as it never asks customers to re-authenticate that device and there’s no option to edit a list of trusted devices (the bank told us this is in the works), we couldn’t award it full marks.
Tesco also failed to block us from logging in to the website from two computer networks at the same time and we weren’t logged out when we switched to a different website or used the forward/ back button to leave the session and return to it.
A Tesco Bank spokesperson said: ‘The security of our customers’ accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money.
‘Not all of these controls are obvious or visible to customers, but each of them serves to protect customers and all are in line with industry standards.’
‘We use the latest technology to protect and manage the security of Online Banking and our Mobile Banking App and all our controls are constantly reviewed to ensure they remain fit for purpose, giving customers peace of mind they can bank safely and securely with us.’
TSB fails to implement crucial security checks
TSB has one of the lowest scores (51%) for the second year running (see here for last year’s test results).
It may be the only bank to pledge to refund all innocent fraud victims, but it was also the only bank in our test that was not SCA-compliant.
Asking for static account details gives limited protection against attacks. We’re shocked that it has been so slow to implement this protection.
The bank initially told Which? that it’s SCA-compliant but when pressed, it revealed that SCA is still being rolled out for existing customers and couldn’t say when this will be completed.
The forced upgrade has since been completed for mobile app users but is still being rolled out for online banking users.
Once fully rolled out, all TSB users must enter an OTP at login though they can choose to ‘trust’ their device for 90 days to bypass this check.
Other issues we found included support for outdated versions of Transport Layer Security’ (TLS). These ensure communication over the internet is scrambled so that only you and your bank can read it. The bank said these are supported as part of a balanced approach to security and being inclusive to customers.
We found a missing security header – one that would help to lessen the impact if a hacker injected malicious scripts into trusted websites. We flagged this problem last year as well. The bank said it performs regular testing to prevent this and other types of attacks.
And our experts noted that scripts loaded from eight external sources (although one was its parent company Group Sabadell). This was the most of any bank tested by some margin.
A TSB spokesperson said: ‘TSB customers who use their mobile app already have SCA and we’re continuing to roll it out for those who use internet banking.’
Best banks for online banking security revealed
At the other end of the table, challenger bank Starling came out on top with a score of 85%.
Most Starling customers run their accounts from its smartphone app but our experts found nothing concerning with its recently launched online banking website. Unlike most banks, there were no issues with missing security headers and it scored top marks for encryption.
Barclays, HSBC and First Direct tied for second spot, each with a score of 78%.
Barclays supports the latest version of TLS and encourages users to log in using the PINsentry card reader (physical or integrated into the app). Users who choose to enter a code sent via text at login have limited functionality (they can’t change their details or open a new account and are unable to make new, high value or international payments).
First Direct and parent bank HSBC have the same score, though not identical security.
Both offer a ‘Secure Key’ (again, this is physical or integrated into the app) to log in, pay someone new or change personal details. They scored top marks for cipher strength but don’t support the latest version of TLS. And we think pre-set security questions for forgotten passwords are too basic though there are plans to address this.
We’d like First Direct to stop asking users to confirm they want to log out (instantly closing a session is safer) and stop allowing 10 minutes’ inactivity before timeout. We also want HSBC to ask users to log in again when they switch to a different website and use the back button to return.
We worked with independent security experts 6point6 to rate the largest current-account providers on four main criteria: encryption (40%), login (30%), account management (15%) and navigation (15%). The tests were performed in September and October 2020.
- The full investigation appeared in the January 2021 of Which? magazine. Try Which? to have our impartial, jargon-free insight delivered to your door every month.