/ Money

How safe is online banking?

online piggy bank

In this world of ever-more sophisticated scams, it’s increasingly hard to know who to trust. How good is your online banking security?

If someone calls saying they’re from the police or the fraud division of your bank, what would they have to do to win your trust? If they knew, for example, the last five transactions on your account, would you believe they were genuine?

For most of us, the answer would be yes. And that’s why, in the ongoing battle against the scammers, it’s vital to keep your sensitive financial information secure so they can’t use it against you.

Online banking security

However, when we tested the online bank accounts of 11 volunteers, we found too many banks prioritising ease of log in over online banking security.

Several of them allowed our volunteers to access a light version of their account using only a few pieces of information that could potentially be guessed by fraudsters.

Once in, those criminals wouldn’t be able to move money directly without scaling another level of security, but they would have access to all sorts of personal information.

Our campaign on scams

Online fraud continues to rise at a staggering rate, as every new set of crime stats attest. In response, this spring Which? launched its Safeguard us from Scams campaign to encourage government and industry to do more to keep us all safe online.

Last month, we also submitted a super-complaint to the financial services regulator, calling for greater protection for consumers against bank transfer fraud.

This type of fraud has seen criminals trick victims into voluntarily transferring large sums, sometimes hundreds of thousands of pounds, with no legal right to reimbursement from their bank.

We think banks should do more to identify these high-risk transfers and protect customers.

We’ll keep fighting your corner, and while we do we’d like to hear from you. Have you ever been approached by would-be scammers armed with privileged information about you? Do you think your own bank is doing enough to keep your money safe?


Golden rules: never, ever divulge your access ID to anyone, even if they sound incredibly genuine. Always visit the bank itself if there’s any sort of major problem, never use an online banking model that doesn’t provide some sort of isolated security – i.e. a discrete key pad and never, ever, under any circumstance follow a link in an email.

On the transfer scam, by applying the above rules that would fail every time.

There’s a greater dimension to all this: society won’t function if we don’t trust one another, at least to some extent. It’s that inherent desire to trust, however, that offers criminals the easiest target. I don’t want to live in a world where we trust absolutely no one so what needs to change is the Bank systems. A good bank can pick up failed security checks for desirable items in seconds – literally. It happened to me a couple of days ago. The fault was with the Web site I was using (Canon UK) but it appeared as though the system was rejecting me for some reason. If the same system were applied to unexpectedly large transfers of money then this could be nipped in the bud.

I hardly use online banking though I am registered for it. I don’t use apps nor do I have the computer on all the time so it is often quicker and easier to settle a bill by cheque. The kind of security device that you to insert your debit card in I find easy to use. Another bank has given me a little key pad which I have only once managed to use successfully. Probably I forgot due to vey few movements on that account. So now I manage it by putting my card in the in branch machine.

This comment was removed at the request of the user

On a positive front, I have never had a problem with my online banking, debit or credit cards. They are extremely convenient and the likelihood of reimbursement if i have a problem keeps my confidence. I am particularly careful with online transfers to triple check that I have the correct account details and, where significant funds are involved, transfer ÂŁ1 as a test before moving the whole amount.

I do hope I don’t live to regret injecting this optimistic post.

One of my daughter’s is the only family member to have had funds withdrawn fraudulently. This was from fraudulent ebay transactions using her debit card details. The bank acted promptly and sympathetically to investigate the losses and made them good very quickly.

I was about to write something along exactly the same lines as your first paragraph, Malcolm. One should not be complacent but over-worrying isn’t much help either. As Duncan perceives, it is probably best not to reveal the methods used by criminals outside the security protection business which seems to be abreast of it if not quite on top of it.

I have absolutely no doubt that a hacker could get inside my computer at any time he/she wished and while they could do some damage financially, I wouldn’t be “cleaned out.” I have a fool-proof system in place: If it’s not there it can’t be hacked.

This comment was removed at the request of the user

Ps. When installing my security software on my new computer there was perhaps half a minute when it was not working. In that time I received a pop up to tell me that my credit card details were out of date and I should click and renew them. Not only did this provoke a full computer scan but it also elicited a few expletives.

So where’s my logo gone, has it been hacked?

I have not knowingly suffered from losses but I am not complacent and the amount of fraud indicates a need for action. I was an early user of home computers but late in the game with online banking. What made me start was fairer terms and conditions and a friend with the same bank as me received a prompt refund when money was taken from his account. I put security ahead of convenience and have no intention of using mobile apps for banking in the near future.

I have seen too many examples of elderly people being cheated by rogues. I try to avoid watching people at ATMs and supermarket tills but I have seen people produce bits of paper with four digit PINs or look up their PIN in a diary. I would not be surprised if some people have notes showing their login details for online banking, though it’s not something I have looked for.

Apropos bank security I just had the early email advertising the front page article in this month’s mag on Bank security offering a free peek (see it now).

There’s only one problem. Clicking on the article evokes a splash screen which offers the options “I’d like to subscribe”, Update”, and “Log out”. Now, you’d think that if the screen offers the option to “Log out” then it stands to reason that it must think you’re already logged in. Oh, no. Instead, clicking on the article icon takes you back to this splash screen . Now, I don’t want to subscribe. I am a subscriber and have been one for more years than I wish to remember . If I click on ‘Update’ it takes me to a screen inviting me to complete an online subscription trial. Why? I’m already a subscriber, which you’d think it would know, having offered me the option to log out.

This isn’t the first time this has happened, either. Combined with the irritating rigmarole required to get into the Members’ forum it does seem to me that the web designers need to get on top of things. Needless to say I’ll,await the magazine to see the article for which I was offered a ‘free peek’. But I doubt this plays well with the prospective subscriber.

This comment was removed at the request of the user

Of course, and increasingly drive-by payloads being dropped. But this is about Which’s site and its inability to operate properly. There’s quite a few legacy pages on the Which. co uk site which I suspect have never been properly dealt with.

This comment was removed at the request of the user

It’s allied to web site security in general, Duncan. Here we have the CA leading the charge for better security and yet their own site design is clearly flawed. This has nothing to do with Conversations: it’s to do with whichever segment of Which? the email was linking.

I noticed this e-mail from Which? offered a “sneak peek”! Surely something so well-organised and sent to subscribers directly can hardly be described as a “sneak peek”. A “sneak” peek or preview relates to something that the owners didn’t intend you to see and try to keep concealed but you have discovered behind the security screen or by looking under the blanket. At least Which? get the spelling right unlike some media [yes, BBC – I mean you] and some even manage to offer a “sneek peak”.

Withay says:
20 October 2016

Why was the Clydesdale Bank / Yorkshire not included?

This is a good article

As to banking on-line I think it is highly dangerous and people , like great schools of fish, are surviving as they have not yet been hacked. And some people will always make better targets as they provide through social media huge amounts of detail.

My wife has an on-line account and we have an off-line account which pleases her and accommodates my views on computer [in]security. If people were made more aware of the continuous stream of hacks going on every minute and the new infiltrators of Android phones they would perhaps realise that it is essentially an insecure environment.

I noticed in recent postings that people seem unacquainted with the Bank Draft which my Bank , Clydesdale, issue free to me up to ÂŁ100,000 per draft. This is what used to be used for completions and has the enormous virtue that the name of the payee is written on them and has to banked in an account of that name.

Not as convenient as electronic funds transfer {EFT} but much safer. Why has not Which? mentioned them?

P.S. log in should surely be log-in as the ” – ” is the accepted way to indicate where “in” relates to ” log”. However if Which? has a policy of dispensing with “-” and using portmanteau word like ” online” then ” login” would be logical. As would email , though I must admit I always thought epistle was so more apt.

I have no problem with the dropping of “-” for words relating to computing.

I cannot write words like “on-line” and “log-in” without their hyphens, but then I have always liked hyphens and use them where other people don’t. American usage includes many more hyphens than we are used to in the UK. I like “e-pistle” instead of “e-mail” and wish that had had become the standard term. It has a certain je ne sais quoi about it.

I used to write ‘e-mail’ but when compiling documents with a colleague, he suggested that we should move with the times and use ’email’. Online too. Essentially they are acceptable alternatives. What is inexcusable is to use more than one in any document.

This comment was removed at the request of the user

The Money Advice Service says:

“Using banker’s drafts and cheques safely

Be careful when accepting a banker’s draft. Especially for larger sums, due to the number of instances of fake drafts being presented. For example, for the payment of cars.
Banker’s drafts aren’t guaranteed against fraud. If you lose one or it’s stolen, someone else could use it fraudulently. Take extra care”

Bankers drafts are prepaid.
Buying a car privately is a typical case of how best to protect buyer and seller. The seller wants guaranteed funds before handing over the keys. The buyer wants to know they’ll get the vehicle as soon as money is exchanged. Because of fraud some buyers won’t accept bankers drafts. One way is cash, but travelling around with thousands of pounds in your pocket is nerve wracking, and many want to deposit it in a bank to ensure it is real money. When son no. 1 went on the train to collect a car, we transferred money into an account I happened to have with the same bank that the vendor used. The money was transferred to the vendor’s bank account whilst my son was with him, and the funds were seen to arrive online. Not perfect but somewhere trust is involved.

Common accepted usage seems to be “online” without the hyphen, and “login” for a noun or adjective but the action is to “log in”.

I do like to see us stand up for the English language that with all its quirks has stood over many years and developed with the times. I see it has been suggested (by Johnny foreigner) that the EU Brexit negotiations should take place in French. Sacre bleu! I do hope we Brits all stay on-message and on-side.

First Direct issue customers with a fiddly little keypad for online banking that doesn’t like finger nails and times out far too quickly. It is much quicker to pick up the phone and talk to someone. At least it has been, they have now introduced a voice recognition system that I have yet to take part in.

From your description, it sounds to me as though the Barclays bank “pin sentry” is a superior device then. They cetainly don’t time out too quicky and they cope well enough with my ham-fisted fingers.

TSB Bank is rubbish when dealing with issues of fraud. I placed an order for some items online but my card didn’t go through and they cancelled the order. I re-ordered and paid with a different card. Sounds great problem solved, well no! The company delivered the order I paid for and also sent me the cancelled order too, they took payment for this from the TSB Card. I contacted the retailer and asked them to organise and pay for the return of these items, but they ignored my request. I ended up with an extra set of items I didn’t need or want. I cancelled my card and requested that the bank step in. Firstly the bank was very slow in refunding the money. This retailer then sent me more items and took money again from my card despite it being cancelled, the bank made the payment. As the retailer was non EU I only had my bank to help me but despite me showing proof to the bank that I was not at fault, they sided with the retailer and made full payment to them. I’ve always stated that the company can have their items back but they must either pay or organise the return . TSB lost my trust and treated me like a criminal, shame on you!

This comment was removed at the request of the user

This might appear at odds with my previous mutterings about Which?’s odd site behaviours, but it might provide some food for thought .

The internet has acquired something of a bad press overall, given its ubiquity means it’s become the easiest conduit for the ne’er do well. I suspect it achieves at least as much good as it does bad.

The cloud’s also interesting. It’s become slightly mytholigised in an almost magical way, and I suspect it may be very much the same way that the first banks were regarded by those who traditionally secreted their wealth beneath the medieval equivalent of the mattress. Is it 100% secure? Of course not, but it’s at least as secure as snail mail and possibly more so.

The internet and computing represent fundamental cultural and societal shifts on an unprecedented scale (although the Black Death was possibly almost as significant). But there’s no doubt that they’ve changed the world beyond what any time traveller from, say – the late 19th C would recognise. And whenever a shift even approaching that magnitude has occurred throughout human history those would take advantage of their fellows have appeared and manipulated those changes to their own benefit.

So I suspect we may be inclined to take a disproportionately wary view of the entire thing. One irony of the entire change has been that we hear far more rapidly and effectively about those who have become victims to the unscrupulous, so that in a sense the internet has become the very embodiment of the fears many harbour when, in fact, it’s possibly no more dangerous than crossing the road. And quite possibly less so.

In specific regard to iCloud, Apple routinely employs end-to-end encryption on the entire system (I have no idea what others do) and the most important passwords and user names I don’t commit to the cloud, preferring instead to keep them on individual computers in an encrypted form. So I suspect iCloud is as secure as we need it to be for the less vital stuff and Apple’s own disc image encryption system has weathered governmental attempts to decrypt it, so I’m happy with that.

So yes; a healthy suspicion about internet and cloud associated functions is probably a good idea – at least as good as the normal caution you employ when entering your pin in a public space or withdrawing cash from an ATM. But overall I suspect we’re safer these days than at most times in human history.

This comment was removed at the request of the user

It’s a lot safer than the postman; most of the time the mail gets delivered to the right address. Not so with the post. But I didn’t say the internet was getting safer. It’s simply society working electronically, and in society you have both bad and good and a lot in between. I was arguing that we become too hysterical over the bad bits. I’d be more impressed if people were as exercised over road traffic deaths and injuries. Sadly, they’re accepted as part of modern living.

I think Ian in his well-rounded post has put a valid case for the scaring side of the Web . I am a great fan of the likes of Wikipedia and all the sites that bring good things, and even reputable sites that report on the bad side.

However he has made a distinction that ” But overall I suspect we’re safer these days than at most times in human history.” I think he is too sanguine as what is under-estimated is the multiplying effects that technology supplies the villains with. Of course if you are banking or carrying out electronic transactions you are moving into the arena where these multiplier effects are evident.

Same number of villains give them the means to trawl for 1000 times more victims per day ……

Despite any assurances to the contrary if you understand that the security services and some black hats can crack any computer remotely you are far far nearer the truth than believing you are safe from any hacking.
As I have said with so many millions of targets going for the big fish is currently the most lucrative method of operation – and long may it be so for our sakes.

I dislike being a wet blanket in the wonderful world of technology but Banks are not going for electronic cards etc etc other than for reasons of profit. Worrying over security always comes after the product has been released – and in the intervening time they will hopefully, for them, closed more branches, and destroyed the cheque system so we will have minimal alternatives to their re-fashioned cheaper operation.

And as of yesterday:

The reason I said I believe we’re safer now is simply because we are. When was the last time you were robbed on the highway? Got an infection that killed you (probably never, true…)? Were thrown out of your home by the Laird? Were tortured for your beliefs? Were examined as a witch? Were sent to a workhouse?

Yes, there are issues on the internet and the combination of its ubiquity and people who somehow believe everything they read on the internet has proved troublesome. But I seriously doubt many have died through it; normally, it’s only financial deprivation that occurs and, providing you haven’t been unbelievably daft, the banks will normally reimburse you.

Using the internet requires a mix of common sense, knowledge, learning just as with other things in life. On the whole I also believe it is relatively safe – but that is only from my own experience where I have never had a problem.

Perhaps we should be taught how to use the Internet safely while at school – it is one of the life skills need, like basic arithmetic.

Teaching school kids about internet safety is useful but in the same way that mobile phones are forever changing, so do the security risks. You have to keep ahead of the game. Like you, I have not knowingly had a problem, but past performance is not an indicator of future performance.

I believe that the any financial organisation that is still sending out emails with links and phone numbers is compromising the safety of its customers or potential customers. The problem has been known for years and the solution is simple. The customer should instead follow common advice look up the phone number or email address (taking care to avoid rogue websites) and contact their bank etc. It really is that simple, and that precaution will not go out of date.

I’ve been rung a couple of times by my bank and made them jump thru hoops each time and I was so of expecting a call too. I did get a call from a cc company, but I refused to talk to them, so I rang them back, and yes my cc had been used for fraud. Turns out the local petrol station was at fault.

On the whole internet banking should be safe unless you insist on having it on your phone, tablet etc which are easily misplaced. Or you have it on a non secure PC which you use for everything and his dog. So I use a 2nd PC for online banking/shopping and nothing else.

Susan Batey says:
21 October 2016

The bank I use (an online bank that has received a lot of awards over the years) has recently upgraded it’s system and while it was frustrating initially to deal with the extra security details required and also being entered, I am pleased to say there is no stinting; if the slightest entry isn’t done clearly, which means more slowly so as not to slur keys, you cannot get entry. I am pleased to say that this makes me feel more secure, so well done ‘my’ bank.

Lots of discussion about web safety, common sense usage and bank security measures here. All well and good, but going back to basics, the internet has spawned a new generation of crooks who can operate without getting caught. They may be state sponsored, criminal organisations or just individual chancers, but until I read about the successful prosecution of some of these people I know who is actually winning out there. I suppose we just have to get on with our on-line business and dodge these fraudsters as best we can.

This comment was removed at the request of the user

The amount of interest the banks and credit-Card companies are charging, is very exorbitant, I would like it if you can force the banks and Credit-Card companies to reduce their interest rates down to a mere 2% instead of charging customer’s 39.9% each and every month thank you.

Norman, best way to use a credit card is to pay it off in full each month; you then pay no interest. Otherwise, if you need to borrow money, a personal loan from the bank will be a lot cheaper. The problem is if a system deals with people who are not credit-worthy – likely to default – a higher interest rate reflects the risk. Lower risk people pay significantly less than 39.9% – typically 18.9% – but still a silly price to pay when my bank offers a personal loan for 4.9%

There is no need for any of this palaver… Just change to First Direct Bank who are open 24hrs a day 7 days a week. Including Christmas! You get through to a REAL person IMMEDIATELY , who will ask you for your Post Code followed by some prearranged personal information etc.
I am 86 years old, and I have been delighted with the way in which they have dealt with any problems which have arisen ….

already posted.. See ABOVE !!!

I totally agree with your comments on First Direct Patrick. They have to be one of the best call centres I have ever dealt with. I joined them in October 1989, the month they started, and they are still as professional, helpful and available when you want them as they ever were.

Have you taken part in their voice recognition security yet?

I am a great admirer of First Direct myself. Worth bearing in mind the monthly income to be a member.

As to voice recognition systems – surely the architecture they use to be able to match a voice is something that can be reversed engineered so recordings of speech can be cut and changed? I am not suggesting it is easy by any means just that within its smartness there is the glimmer of an attack vector.

There is, if you like, the interesting spectre that having given voice prints, thumb prints, photos, financial information, etcetc one has to trust that one’s government is always benign. Perhaps accidentally people might be exiled into limbo when their online ID is accidentally or maliciously hacked or even lost.

Patrick T, I’m not sure exactly without looking it up, but if you have other First Direct products like their credit card, or could be a savings account or ISA (it might have to be 2 products) the minimum monthly income is waived.

“Top techies at British banks are being encouraged to share information about cyberattacks following revelations that the financial sector is under-reporting breaches to regulators. According to the UK’s Financial Conduct Authority, only five attacks were reported in 2014, a figure that has soared to 75 so far this year. But …”


Am I surprised that UK banks are not fully reporting breaches? The article published on the 18th October. Worth reading the comments.

The banks should be placed under a legal obligation to report all forms of external interference with their systems.

I agree. Like other commercial organisations they are exempted from Freedom of Information requests. At the very least, companies should be required to provide prompt information to appropriate authorities. Likewise Whirlpool and the VW Group should provide all relevant information needed for a full investigation.

Hello my friend my HSBC got me in deep derbt because I have keep taking money out when I had no money so I had big problems paying my house bills and I suffer with learning disabilities got not helpful so bully me more my friend so wants to a new bank and they a more helpful and more careing from my 20 year + and that angry me more they now I him very disabled man my God bless

This comment was removed at the request of the user