Save content
Have you found this content useful? Use the button above to save it to your profile.
Locked vault: Security - Front view of light silver bank vault door, closed. 3D Render

Which? finds worrying gaps in online banking security


Which? found serious vulnerabilities after testing 16 of the biggest UK banks on the security of their online banking systems.

27th Jan 2021
Save content
Have you found this content useful? Use the button above to save it to your profile.

Consumer watchdog Which? found “serious vulnerabilities” in its 2021 security investigation of online banking and mobile banking services at major banks and building societies. 

Volunteers carried out a series of tasks as part of the security test, while experts from cybersecurity firm 6point6 tested each bank's defences. Which? tests security for encryption, login, account management and navigation and logout.

“Worrying gaps” were found at Santander, Tesco Bank and TSB, among others. Issues ranged from missing security headers on webpages, weak encryption, failing to block testers from logging in from multiple networks and failing to log out testers.

Starling Bank’s recently launched online banking service was ranked as the most secure among the UK’s 16 leading banks. Which? gave the top UK fintech an 85% security test score, with Barclays, First Direct and HSBC following close behind at 78%.

“Most Starling customers run their accounts from its smartphone app but our experts found nothing concerning with its recently launched online banking website,” commented Which?. “Unlike most banks, there were no issues with missing security headers and it scored top marks for encryption.”

Monzo, Nationwide and TSB all failed a fraud test to detect whether their apps were running on an emulator or rooted device. Monzo argued that this wasn’t a security concern as many other banks’ root or emulator detection could be unreliable.

Tesco Bank worst for banking security

Tesco ranked lowest of all with a score of 46%. Consultants from 6point6 found multiple missing security headers, which protect against cyberattacks by telling your browser how to behave when it communicates with the website. 

The probe also uncovered an internal staff website that was accessible from anywhere. “It should never have been visible to our testers as it can give scammers a way in,” commented Which?. Tesco Bank users can save a trusted device instead of entering a one-time passcode (OTP) at every login. The option never asks customers to re-authenticate that device and offers no way to edit a list of trusted devices.

Tesco also failed to block 6point6 from logging in to the website from two computer networks at the same time. “And we weren’t logged out when we switched to a different website or used the forward/ back button to leave the session and return to it,” the testers added.

TSB comes under fire

For the second year in a row, TSB received one of the lowest scores in the Which? security test, scoring just 51%.

Which? has been a longstanding advocate for banks to use a second authentication factor at login. This is now enforced under regulations known as strong customer authentication (SCA), “yet we found that one bank – TSB – has failed to fully implement this crucial layer of defence,” Which? stated in its report.

When Which? reported TSB’s non-compliance to the Financial Conduct Authority (FCA), it responded that it will not comment on specific firms and would not confirm if TSB or any other firms have been granted an effective SCA extension in relation to online banking.

Other issues included outdated transport layer security’ (TLS) that ensures communication over the internet is scrambled to everyone but the user and their bank. Which? also pinpointed a missing security header, which would lessen the impact if a hacker injected malicious scripts into trusted websites – an issue flagged last year as well. 

“Our experts noted that scripts loaded from eight external sources (although one was its parent company Group Sabadell),” commented Which? “This was the most of any bank tested by some margin.”

“Banks must lead the battle against fraud, yet our security tests have revealed a big gap between the best and worst providers when it comes to keeping people safe from the threat of having their account compromised,” said Which? Magazine editor Harry Rose.

“The serious failings we have exposed with some providers reinforce the need for banks to up their game on scam protections, and for greater transparency and stronger standards on fraud reimbursement to be made mandatory for all banks and payment providers.”

Starling’s Boden hits out

Following Which?’s security test, Starling Bank CEO and founder Anne Boden has made public criticism of the UK government’s decision not to include financial fraud in its new online harms bill. Boden said banks will have to carry the can for all sorts of fraud, while players such as telcos and social media platforms get a free pass.

The online harms bill intends to improve internet security by levying massive fines on transgressions in areas like terrorist content, child sex abuse, hate crimes, cyber-bullying and the dissemination of fake news. Despite calls from campaigners and UK Finance, financial fraud has not been included in the bill.

“In this context, banks seem to have become the underwriter of all kinds of fraud that are not really financial fraud at all,” commented Boden. “If a consumer buys a pair of trainers online from a site advertised on a social media platform that takes their money and runs, this is not financial fraud, it’s purchase fraud.

“Yet the banks are the ones asked to repay the customer for the non-existent trainers, while the social media platforms the fraudsters advertise on do nothing. Criminals wouldn’t be allowed to advertise on traditional media with such impunity.”


Replies (1)

Please login or register to join the discussion.

By graemep
28th Jan 2021 10:40

I would bet the mobile apps are a lot worse: they are far harder to do right, they are far harder for a third party to scrutinise, and they are dependent on the security of the underlying platform and mobile devices have a higher risk of that not being updated.

Tesco being worst is hardly a surprise. They got compromise because no one bothered to update the underlying software (the web server to be specific)

Thanks (0)