/ Money

How safe is online banking?

online piggy bank

In this world of ever-more sophisticated scams, it’s increasingly hard to know who to trust. How good is your online banking security?

If someone calls saying they’re from the police or the fraud division of your bank, what would they have to do to win your trust? If they knew, for example, the last five transactions on your account, would you believe they were genuine?

For most of us, the answer would be yes. And that’s why, in the ongoing battle against the scammers, it’s vital to keep your sensitive financial information secure so they can’t use it against you.

Online banking security

However, when we tested the online bank accounts of 11 volunteers, we found too many banks prioritising ease of log in over online banking security.

Several of them allowed our volunteers to access a light version of their account using only a few pieces of information that could potentially be guessed by fraudsters.

Once in, those criminals wouldn’t be able to move money directly without scaling another level of security, but they would have access to all sorts of personal information.

Our campaign on scams

Online fraud continues to rise at a staggering rate, as every new set of crime stats attest. In response, this spring Which? launched its Safeguard us from Scams campaign to encourage government and industry to do more to keep us all safe online.

Last month, we also submitted a super-complaint to the financial services regulator, calling for greater protection for consumers against bank transfer fraud.

This type of fraud has seen criminals trick victims into voluntarily transferring large sums, sometimes hundreds of thousands of pounds, with no legal right to reimbursement from their bank.

We think banks should do more to identify these high-risk transfers and protect customers.

We’ll keep fighting your corner, and while we do we’d like to hear from you. Have you ever been approached by would-be scammers armed with privileged information about you? Do you think your own bank is doing enough to keep your money safe?


I have thought for 40 years now that bankers are inherently dishonest people, they must be regulated more vigorously.

joyce says:
29 October 2016

I like my bank

Rather not say as this is personal says:
29 October 2016

I have a reasonably positive experience of banking – but my daughter – who has mental health difficulties which affected her ability to deal with money was put into spiralling debt due to a) a lack of duty of care b) unfair bank charges. She still has these debts.

The one-time passcode does not work for everyone.
My bank has tried sending me texts for this, but mobile reception is so poor where I live that either the text takes so long to arrive that the connection to the bank is timed out or I have to move so far away from the house that by the time I return the connection has timed out again!

My local branch of Lloyds has just closed. I didn’t need to use it much but whenever I did it was always busy with localtraders.

Raymond says:
30 October 2016

I bank with the Nat West and find the front line staff really helpful and customer care focused. It is the higher management of the bank I feel are not competitive enough with their core products. Although banks like Nat West and the other main institutions are predominant, I always feel they are complacent. They do not appear to be concerend about creating innovative and effectively competitive products and you are obliged to look elsewhere. I think they rely on customers staying loyal and not wanting to be bothered with changing banks.

I had a Barclaycard Visa credit card payment declined today.

I made an online purchase with it this morning, then later completing a purchase by phone, payment was declined twice. I managed to complete the purchase with another very lightly used Barclaycard Visa credit card.

Puzzled, I logged onto Barclaycard worried that my card had been used without my knowledge, but it looked fine, the balance was low with thousands of credit left.

So I phone Barclaycard and spoke to their call centre in India. I had been selected for a fraud check for my convenience. WT*?!?!? I was told there was nothing to worry about and my card would be working again soon. They even gave me a phone number to get straight through to their fraud department in India if it happened again.

Sorry Barclaycard, but it was very inconvenient and embarrassing to have a payment declined. They had sent 2 texts to my mobile, but I hadn’t noticed them.

The first one said ‘This is Barclaycard, we’re doing a Fraud check on your card. Further texts from us will be from 07537….. DECLD after a transaction means it was declined.

The second said ‘Reply ‘Y’ if ALL are yours or N if ANY are not. Then it gave 3 transactions.

I had to stop the call centre from paying my declined payments. They had a bit of trouble understanding I had already paid it with another card and it didn’t need paying twice more.

Something similar happened to me when I was in Iceland without our eldest and my wife was at home with the youngest. The bank stopped the card without wanting. When I returned home, they explained that they noticed the card ‘ being used abroad’ and had no response to their texts, so stopped it. I had to point out that not only had I told them in advance of the planned trip and made special mention of the fact that the shared card would be used both abroad and at home during that period, but I didn’t have a molbile, so the texts were never seen.

Needess to say, they compensated me but that should never have happened.

I don’t like the way the world now assumes that we are constantly on our phones checking for messages. I don’t give my mobile number to any commercial organisation unless there is an exceptional need for it. If a company does send a text warning of an intentional service withdrawal they should at least not execute it until confirmation has been received. Who came up with the notion that the default mode is “Go ahead regardless”? If I were in your shoes Alfa, I would put Barclaycard in the bin.

It happened to me yesterday too. Except my lightly used card was declined as well. I am deeply suspicious of their logic. Apparently there is a lot of fraud involving gift cards – I was trying to purchase one.

We are constantly reminded to reject emails, calls and texts from fraudsters pretending to be banks. Yet one of the banks was phoning me all day. Had I the inclination and the technology, I could easily have recorded their messages and set up a series of fake phone calls to unwitting victims. A simple text or recorded message to visit my local branch or check their website for a number and call from another phone would however make sense.

Banks need to operate a big sense check on their actions and change their processes.

This comment was removed at the request of the user

The only time I’ve had my card transaction queried by my credit card company was by a phone call to my mobile, which is much more likely to get my attention than a message. I appreciated the interest.

Many seem to assume that our only form of communication is by mobile, and that we all have smart phones implanted on our ear. Several companies contact you when they are firming up a time for a delivery, service or something. Despite giving them a landline number they seem only capable of leaving messages on my mobile, which I regret is not always about my person. My landline is capable of taking text messages – converted into robospeak.

The Internet of Things has been publicised in the UK – Voltimum for example – for several years now. Because many like novelty, and have to keep up with the “latest technology”, it is inevitably going to be part of our lives. Apparently passwords are factory set on such devices and difficult to change, but it is possible and users are advised to do so. Who will? My guess is a very very small minority. But should I worry if there is a cyber attack on my fridge? More worrying is how industry and government will deal with it. We are now spending money – a couple of billion – on cyber defence and offence. I hope this goes to our universities where decent brains reside and not to multinational consultancies who seem to exist only to borrow your watch and then charge you when you want to know the time – and probably get it wrong.

This comment was removed at the request of the user

Thanks duncan. One of the products cited where user password protection should be used to overwrite the factory one was internet-connected cameras. I agree this type of device is vulnerable.

In the past, we have had credit cards stopped when abroad because of unusual activity. So we started informing them before travelling only to be told there was no need to. We can’t win !!!

I also don’t like the assumption we are always on our mobile phones. Scammers use mobile phones too.

Recently on TV (might have been Rip-Off Britain) showed how scammers got information from you bit by bit to build up enough information to log onto your account and change all your details including your phone number. So had the text gone to a scammer, I would have been none the wiser.

The phone call to the Indian call centre was slightly bizarre, and had I not been the one to instigate it, getting the number from Barclaycard’s website when I was logged in, it occurred to me they sounded more like scammers than a professional financial outfit.

According to the sentiments in a parallel Conversation, banks are not Big Business – they are tinpot pipsqueak outfits run by crooks and dimwits with about as much savvy as a brainwashed sloth. Maybe it’s about time we stopped regarding them as clever, capable organisations deserving of the accolade ‘Big Business’. Time for them to grow up, act their age, and behave Big [as in ‘generous’].

John, my bank, as far as my dealings with them, has behaved as I would expect of it. I have no complaints. The danger is we take the actions of some miscreants and then use that condemn the whole banking system. I am rather on my own, it seems, in expecting customers also to behave responsibly. But that is life; we all have different approaches.

I hope the CMA will put some less attractive banking practices out to grass and get them to introduce better, clearer and justifiable ways of dealing with customers.

I am also extremely satisfied with the conduct of the Nationwide Building Society that operates my current account and other facilities. In my tirade above I should have distinguished mutual organisations, who respect their members and usually give a little extra, from purely commercial companies, which are solely driven by profit and cost reduction [notice the distinct use of ‘who’ for the former and ‘which’ for the latter!]. It is possible that the mutuals also attract a more responsible customer as they have a direct personal stake in the society. Demutualised building societies like Santander [ex Abbey National] and the Halifax [now under Bank of Scotland] seem to be trying to offer the best of both worlds but at the end of the day they are both banks and act accordingly when it suits.

Sorry for the duplication 🙂 Sorry, it is now triplication 🙁 My first effort seemed not to go through, then got an “unexpected token Y” message. I wonder what that means? I have had “unexpected token D” when I’ve accidentally sent the same comment twice. Hope this is not the beginnings of a cyber attack.

I’ve just had a message held in the queue for moderation. Nothing unusual there – but it did not contain a link. 🙂

wavechange, the first of my triplicated comments above also was sent to the moderators, for no reason.

This comment was removed at the request of the user

This comment was removed at the request of the user

Are they being done by the N. Koreans, GCHQ or the CIA?

Not a clue duncan. I did have a problem opening “View account” in my online Which? account and I got a message I did not understand. However that has now put itself right. So i expect someone is tinkering with Which?’s equipment.

I have just gone through several fraught hours of reinstalling Bullguard, when my ISP told me to, after a problem opening it. It turned out, when I contacted Bullguard directly, that there was a problem being resolved between their servers and my ISP. I’m not a computer whizz so these episodes do tax me. I did complain and I’ve been given a month’s fee-free broadband. 🙂

This comment was removed at the request of the user

This comment was removed at the request of the user

Karen says:
2 November 2016

Do not understand why my overdraft cannot be increased if my account is in debit – that’s when I need it so listen to my needs not your procedures!

Karen, banks will let you apply to increase your arranged overdraft limit, often online, if you find it insufficient for your needs. They will, no doubt, assess whether you can deal with a larger debt.