Starling top, Tesco Bank flounders in Which? online banking security survey

Starling Bank has come top of a Which? survey into the security of online banks, with major names such as Tesco Bank, TSB and Santander at the bottom.

The study carried out by the consumer website, in conjunction with research group 6point6, looked at how safe the online banking measures were for customers, including a number of tests such as how secure the login process was, whether multiple users could access an account at the same time and whether the service was automatically logged out when users visited other websites.

…a number of tests [were looked at] such as how secure the login process was, whether multiple users could access an account at the same time and whether the service was automatically logged out when users visited other websites.

The study was primarily focused on web versions of online banking, but apps were also scrutinized as part of the process. The tests carried out on mobile banking apps were done to see whether they would run on emulated or rooted devices, which are more prone to security issues.

Tesco Bank was the worst rated, specifically for not logging customers out when they left the site before returning, and for allowing two computers on completely different networks to access the account at the same time.

Tesco Bank told Which?: “The security of our customers' accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money.”

“Not all of these controls are obvious or visible to customers, but each of them serves to protect customers and all are in line with industry standards. We use the latest technology to protect and manage the security of online banking and our mobile banking app and all our controls are constantly reviewed to ensure they remain fit for purpose, giving customers peace of mind they can bank safely and securely with us.”

We use the latest technology to protect and manage the security of online banking and our mobile banking app and all our controls are constantly reviewed

Tesco Bank spokesperson

TSB’s flaws were around the failure of the bank to adhere to regulations on Strong Customer Authentication (SCA) that were introduced in March 2020. While these regulations require a second stage for banking logins, such as a code sent to a user’s phone, TSB has not yet rolled this out to their desktop site.

Santander were third-from-bottom, with issues around those authentication checks when a customer logs in — it was found that they could be bypassed in certain scenarios, potentially allowing fraudsters to access accounts with limited information.

Santander defended its position and explained that only “customer-facing elements of security” were covered by the study, while they have many more measures in place that customers don’t see.

Behind Starling Bank in first place, which scored 85% in the tests, Barclays, First Direct and HSBC were tied for second place, passing 78% of the requirements. At the bottom of the table, Tesco Bank only scored 46% in the tests.

In order, the banks placed as follows: Starling (85%), Barclays, First Direct, HSBC (all 78%), Natwest/RBS (76%), Nationwide (74%), Metro Bank (71%), Virgin Money (68%), Lloyds/Halifax/Bank of Scotland (67%), The Co-operative Bank (65%), Santander (62%), TSB (51%) and Tesco Bank (46%).

In the mobile banking app world, Monzo, Nationwide and TSB all worked when run on emulated or rooted devices, although Monzo disagreed with the findings, arguing that other banks’ emulator detection was unreliable and did not work consistently and that it wasn’t a security issue anyway due to the login requirements.