Testing Banking Website Security: What You Need to Know
With 86% of UK adults using a form of online or remote banking and high street banks closing in record numbers, banking websites have become an integral part of our daily lives. They have changed how we manage our money, allowing us to send and receive money from anywhere in the world, open or close accounts at the click of a button (or tap or a screen), and avoid queuing in physical banks. They have also transformed the UK’s criminal landscape.
In the ’90s, the “Bank Job” was a massive part of British criminal life, with 847 bank robberies taking place in 1992 alone. By 2011, that number had fallen to 66. Today, robbery attempts on British bank branches are exceedingly rare, mainly due to the rise of online banking.
But that doesn’t mean banks are invulnerable to crime – far from it. Cybercrime poses an enormous threat to British banks, with criminals launching countless attacks on banking websites and applications every day. While most banks will refund money stolen in a cyberattack, provided the customer has done nothing to compromise the security of their account, this isn’t a guarantee. Even if the bank does repay customer funds, having your money stolen is a traumatic experience and one that you’d want to avoid.
So, what are banks doing to secure their online banking services? And how effectively are they doing it? New research from Which? reveals all.
Online Banking Security Assessment Metrics
Before we dive into the results, it’s worth running through the metrics Which? used to assess online banking security. They are:
- Security best practice (30% of total score): Which? checked for best-practice security headers that protect against cyberattacks by telling your web browser how to behave when it communicates with the bank’s website.
- Login (30%): Which? compared banks on the information they require to access accounts and how easy it is to recover usernames and passwords.
- Account management (25%): Which? tested security for setting up a new payee, changing your password, and editing account details.
- Navigation & logout (15%): Which? marked banks down for poor website session management if they let us access accounts from multiple browsers, IP addresses, or devices simultaneously.
Online Banking Security Ranked
You can view more detailed results on the Which? website, but here’s a quick overview of each bank’s overall scores:
- Natwest – 87%
- Starling – 87%
- HSBC – 80%
- Barclays – 78%
- first direct – 78%
- Nationwide – 74%
- Lloyds Bank – 69%
- Virgin Money – 68%
- Santander – 67%
- TSB – 67%
- The Co-operative Bank – 61%
The Most Pressing Online Banking Security Issues
As you can see, TSB and the Co-operative Bank scored worst in terms of mobile and online banking security. More concerning still, Which? discovered a “medium risk” issue on the TSB app, meaning other apps running on a user’s phone could read sensitive data on the banking application. Essentially, the TBS app fails to store user credentials securely. Granted, TSB told Which? they are reviewing the issue and will consider a fix “in the future,” but this seems like an inadequate response given the flaw’s severity.
Similarly, the Co-Operative Bank is the only provider that doesn’t require Two-Factor Authentication (2FA) or Mult-Factor Authentication (MFA). Although Which? points out a regulatory exemption and the bank’s use of “device profiling and behavioral data” to bolster security when necessary. 2FA/MFA are relatively basic security controls that any online service should require; it is disappointing that a service as essential banking would fail to require it.
The issue is compounded by the fact that the bank allows users to set very weak passwords and returns different error messages depending on whether the username is valid. This would allow attackers to develop a list of valid usernames and test common passwords against them, which is a rudimentary form of credential stuffing.
9 Ways to Protect Your Online Banking Account
Aside from choosing the most secure online banking provider based on the Which? research, there are other steps you can take to protect your online banking account. Here are nine:
- Use Strong Passwords -Create strong and unique passwords for your banking accounts. Avoid using easily guessable passwords like your birthdate or “123456”.
- Enable Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) – Enable 2FA or MFA whenever possible; this adds an extra layer of security by requiring not only a password but also a second form of verification, such as a code sent to your phone.
- Beware of Phishing Scams – Be cautious of emails, texts, or calls asking for your banking information. Legitimate banks will not ask you to provide sensitive information via email or text.
- Keep Software Updated – Regularly update your computer, smartphone, and banking app to the latest versions to patch any security vulnerabilities.
- Use Secure Networks – Avoid using public Wi-Fi networks for banking transactions. Instead, use a secure and private network, such as your home Wi-Fi or a trusted mobile network.
- Monitor Your Accounts – Regularly review your bank statements and transaction history for any unauthorized activity. Report any suspicious transactions to your bank immediately.
- Be Cautious with Links and Attachments – Avoid clicking links, scanning QR codes, or downloading attachments from unsolicited emails or unfamiliar sources, as they may contain malware or phishing attempts.
- Log Out Properly – Always log out of your online banking session when you’re done, especially when using a shared or public computer.
- Use Secure Devices – Ensure that your devices for online banking, such as your computer or smartphone, are secure. Use reputable antivirus software and lock your devices with a PIN or password.
All in all, consumers must do their research before choosing an online banking provider: it’s not a given that banks will do everything in their power to protect customer funds. Although banks will likely refund your money if you fall victim to a cyberattack, avoid the stress of reclaiming your money by choosing a secure provider and following the best practices listed above.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.