With help from a team of independent security experts at Red Maple Technologies, we looked for potential holes in the defences of 13 current account providers, to rate their online and mobile banking security.
Hacking into a bank account is no mean feat. Although millions of us bank online, just 29,102 cases of remote banking fraud were recorded in the first six months of last year, which includes victims tricked into handing over login details.
However, our investigation found several banks missing basic online and app protections. Read on to see which banks excelled and which caused us concerns.
How did we test banks' defences?
Although all banks and building societies have behind-the-scenes systems that we couldn’t test, we assessed their online and mobile banking security across four key categories: login; encryption; account management; and navigation and logout.
We delved into the software used by banks and tested if they have best-practice that help keep your web browser secure and block threats such as . We looked at whether bank websites and apps support outdated versions of or use . And we searched for website that shouldn’t be accessible on the internet or that use outdated software, as this can potentially allow attackers to exploit unsolved security issues.Top-rated banksStarling: Online 82%, App 80%
Starling came out top for online banking, although its (also high-scoring) mobile app is key to security – it's used to authorise online logins and provides instant alerts of any sensitive activity.
Account changes can only be made from a device that has been through stringent checks and requires a ‘selfie video’ that matches your existing identification videos and documents, although we would prefer Starling to send notifications when email addresses and phone numbers are changed.
You can ‘untrust’ devices via Starling’s app at any time. The bank told us it uses industry-standard methods to detect rooted (ie more vulnerable) devices, but we were able to bypass these protections in our test.
We also think the passcode should be longer, as it’s only four digits, whereas many banks require at least six. And while Starling does check for common passwords, it didn’t stop us using a pattern or sequence of numbers.
HSBC: Online 80%, App 82%
Our top scorer for online banking security last year, HSBC has performed excellently again this year.
Bottom-rated banksTSB: Online 66%, App 57%
We had several concerns when it came to TSB. It still asks basic security questions, such as ‘name your favourite food’, to recover login details.
TSB also failed to block insecure passwords and only requires six characters – banks should encourage longer phrases.
It also lost points for using SMS-based security, not sending alerts when sensitive account changes were made and including phone numbers in new-payee notifications.
TSB is also reviewing alerts and password complexity as part of its digital strategy. Following our research, it removed phone numbers from all SMS alerts, except for one which is due to be removed this month.
A spokesperson for TSB, said: 'We continue to invest in our online and mobile services – and work with globally-leading tech firms to deliver both security and accessibility to our customers. TSB also tracks well across the industry on fraud prevention and we are the only bank that protects its customers with a guarantee to return their money should they ever fall victim to fraud.'
Virgin Money: Online 52%, App 54%
Virgin Money got the lowest scores for online and app banking.
The app didn’t appear to detect our analysis tool or a rooted phone, although the bank said it uses internal controls to protect customers.
We want it to block insecure passwords and remove phone numbers in notifications; Virgin Money said both are an ‘agreed position that balances security with customer experience’.
Unusually, there were no security checks to pay someone new, change an email address or edit the details of a payee, though it does send notifications for changes to personal details and passwords.
A spokesperson for Virgin Money said: ‘The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls. A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts.’
Five tips to help you bank safely online
Banks need to address vulnerabilities in their security – but their greatest vulnerability could be you.
Here's how you can stop criminals in their tracks:
1. Don't click on links
If you receive unexpected emails, texts, WhatsApp or any other type of message, don't click on the hyperlinks they contain.
Criminals posing as your bank might try to steal sensitive data or trick you into sending money, going as far as creating fake websites to impersonate banks and other firms.
Don't download attachments or call phone numbers either. If you need to get in touch with your bank, call it on a trusted number, such as the one on your debit card.
2. Use up-to-date security software
It's also important to download and install the latest updates for the device itself. Updates contain security patches for new vulnerabilities, so don't use an out-of-date device.
3. Protect your mobile
Go into the settings to ensure your phone auto-locks after a short period of inactivity.
While you're in there, disable lock screen notifications, to prevent criminals seeing incoming texts, which could include bank codes for accessing your account.
You can also add a Pin to your Sim card, to prevent it being accessed.
4. Check your privacy settings on social media
Remove any personal information such as your email, date of birth and phone number – all of which can be used by criminals to steal your identity or impersonate your bank.
Only accept friend requests from people you know.
5. Replace default passwords on your home router
This will prevent anyone else accessing it. You should also avoid banking on unsecured wireless networks or public computers.
If you do use a public computer, never leave it unattended and always log out when you're finished.
Find out more:source https://www.which.co.uk/news/article/which-banks-have-the-best-online-and-app-security-aHobm1t8ZFRD