/ Money

Through the hacker’s eyes: how to bank safely online

Password screen

Our latest test of online banking security found many have improved since last year. That’s not to say you should rest on your laurels. Here’s Ken, one of the hackers who helped us, on how to protect yourself.

Every year Which? looks at the security of online banking for the largest UK retail banks.

Here’s the thing; they’re all pretty good nowadays and successfully hacking your account is getting harder. Hence hackers are targeting the easiest way into your account; you!

So here’s some advice on what you can do to protect yourself:

1. Install anti-virus software

Make sure you have some decent anti-virus security software installed. Some even include safe browsing tools and link scanners that can stop you clicking on dodgy web sites that could infect your computer and steal your banking password.

2. Keep your computer and phone up to date

This is really, really important. No really! Every time an update comes along, say for Windows/Mac or iPhone/Android, Adobe Acrobat, Java or whatever applications you have installed, install them.

The software vendor tells you ‘here’s an update with new whizzy features’. But what they could mean is ‘we made a mistake and there’s a security flaw in the version of software you’ve got currently, so here’s a version that fixes that’.

Puts a different light on updates, doesn’t it! It’s estimated that 90% of successful hacks are a result of someone forgetting to install an update.

3. Sort your passwords out

They’re such a pain to remember, aren’t they? The problem is that people re-use passwords all over the place. Is your password for Facebook the same as for another website? Do you use the same password for Amazon, or somewhere else?

You might have a really complicated password, that has nothing to do with your cat’s name or anything else about you. Here’s the problem though; retailers keep getting hacked, and your passwords get stolen. The hacker steals one password and tries it on loads of other sites you might use the same password on. Bingo, they’ve got access to your account. Pray you have a different password for your bank account.

One easy way to fix that is to use a ‘password vault’. This is a software application or service that manages your passwords for you. It creates complicated, unique passwords for you, then manages the log-in process for you. So much easier! You just need to set one complicated password to make it work and the rest is easy. There are some minor downsides (like putting all your eggs in one basket) but this is usually way better than re-using passwords.

4. Watch out for phishing emails

If the email has a scary tone – ‘your account has been hacked’, ‘urgent action required’, ‘click here immediately to check if these transactions are fraudulent’ sort of thing then there’s a high chance it’s a phishing scam. If you’re worried, phone your bank or the retailer involved using the number you usually use. Just make sure you don’t click on the links!

5. Dodgy phone calls

I don’t care how legitimate or official they sound, hang up. If you’re concerned, phone up whoever they claim to be using their official number. And use another phone to the one you were called on, as a common scam involves fraudsters staying on the line when you think you’re talking to your bank.

6. A technical recommendation

It’s a good idea to try using Google Chrome or Firefox, and not because Internet Explorer isn’t a good web browser. It’s because most home users use it. Hence, when hackers write tools to hack browsers, they generally write them for IE because that’s one of the most common browsers.

Do you trust your bank’s online security? Has your account ever been hacked? Do you have any tips of your own to share?

Which? Conversation provides guest spots to external contributors. This is from Ken Munro, a senior partner at Pen Test Partners, the ethical hackers who helped analyse bank’s online security in our test. All opinions expressed here are Ken’s own, not those of Which?.


I read somewhere the other day that bank fraud has gone up 70% in the last year, even in spite of banks now issuing things like keyfobs etc. All down to people trusting cold callers on the phone.

See http://www.telegraph.co.uk/finance/personalfinance/bank-accounts/11091524/Online-banking-fraud-up-71pc-despite-rise-of-log-in-gadgets.html

And I’m not sure I agree with the wording in your point 2. Particularly “Java or whatever applications you have installed, install them.” Yes your right, but and its a big but, its very easy to trick people into downloading a fake java update just because a message flashes up on the screen. Flash ads are a nightmare for allowing hackers to put these sort of things up for the unwary to click on. Same for Adobe etc.

And your point 5. Just treat every phone call as a potential scam call unless you recognise their voice. If you don’t then make them prove they are who they say they are. If they’re legit they should be pleased you’re making them go to the effort.

I had a phone call from the “London Advisory Board” the other day, and I asked the caller to prove it, her reply was I just told you, Sorry not good enough,. She then gave me a number to call her back on, well for 1 its wasn’t even a London number and on googling it , it was listed against loads of scams. The real London advisory Board even has a warning on their website about scam caller using their name.

Regarding point 3, its important to remember that banks don’t allow you to store your passwords within a password manager as they still class this as writing this down. If a customer did this, suffered a breach, and told the bank they were using a password manager they may not be covered for any losses.

An example of this policy can be seen in section 3.5 of Halifax’s terms and conditions which states ” You must not write down, store (whether encrypted or otherwise) on your computer or mobile phone handset or let anyone else know your password, identity details or additional security details, and the fact that they are for use with your accounts.”

I believe this is a stupid policy from the banks as its impossible for someone to memorise extremely strong passwords such as kdmn87$!£d,O. Even more so if you hold accounts with different banks.

Password managers like Lastpass, Keepass, Dashlane etc should be encouraged by the banks as a safe way of storing our login credentials instead of the trite statement about remembering a long string of uppercase, lowercase, digits and special symbols which very few people can do.

Forgot to add the page I took the Halifax text from – http://www.halifax.co.uk/aboutonline/onlineconditions.asp

Are password managers really that secure? Most people, me not included, assumed the cloud was secure and as certain celebrities can now attest, it wasn’t.

I hate to suggest it , but writing a password down and storing it in a locked safe is probably safer.

I’ve been looking into it for the past couple of weeks as going through terms and conditions a lot of the banks wont cover you for any losses if you use an account aggregation service which is stupid as they are read only services and cant perform any transactions.

I’ve been using keepass for years and never had a problem, but I have been looking at moving to Lastpass as I think its even more secure. All the encryption is done on your own computer, and all of your data is encrypted one way and stored on their servers. As its a one way algorithm using AES 256 bit encryption (military grade), and they never receive your master password, it should be totally secure. Even if an attacker was able to access your computer and install some malware or a keylogger to get your password, they would also need to break into your property or mug you on the street to get your phone or yubikey (small usb device) or whatever the 2nd form of authentication it is you have setup. Essentially lastpass works on a something you know (password), and something you have (Google authenticator on your phone, yubikey, paper grid, other types of software that run off of USB sticks).

There’s a really thorough review of lastpass and why its secure by a site that specialises in security and they both use it, you can see it here – http://www.youtube.com/watch?v=r9Q_anb7pwg&t=0h53m50s

All been said, I’m still reluctant to store my bank account within it and so writing down passwords, pins, secret numbers etc on paper which would be lost in the event of a burglary and I wouldn’t be covered for.

You’re absolutely right. While many banks actually offer the account aggregation service right in their own websites hoping to collect info on what assets and liabilities are with their competitors. It’s a ‘double screw you” service offering.

> its important to remember that banks don’t allow you to store your passwords within a password manager as they still class this as writing this down.

Crikey, I never realised they’d have such stupid conditions. Something needs to change here, that puts the consumer in a terrible position. Any half decent encrypted password manager should be a bank recommended solution.

F.G.Evans says:
20 September 2014

Where do you write down and store the password to your safe

>Where do you write down and store the password to your safe

I don’t. I have a fairly long complex (but personally memorable) password for opening the password manager database.

I don’t, it was just an example.

The recent breach of celebrities accounts was as a result of weak passwords which allowed the hackers to gain access to their cloud storage.

So nothing to do with the very poor security adopted by apple e.g. allowing unlimited login attempts. As a result of which even very strong passwords could be cracked in a few days.

And FYI any security is only as strong as its weakest link and Apple should have taken into I gather they’re now looking to address this, rather stable horse door bolted.

Santander, like Halifax, prohibit password managers – ‘f) never use computer software or a computer browser facility to record Your Security Details’. (From http://www.santander.co.uk/uk/online-banking-service-terms-conditions section 10.3). Nationwide and TSB seem more enlightened and talk about reasonable/sufficient steps to secure passwords.

I can see the banks’ problem in that they cannot be expected to verify/endorse specific password manager software. But surely it is for the bank to demonstrate a customer’s reckless storage of passwords rather than imposing a blanket ban on any storage.

I specifically tried to complain to Halifax about this issue in 2012 by sending an old fashioned letter and copied Which?, but I didn’t get very far with the Customer Care team. I cited recent research that many eight character passwords can now be cracked in two days or less with the proper computer resources (http://arstechnica.com/security/2012/08/passwords-under-assault/4/). Industry best practice is now to use a password safe and generate unique, random passwords that are at least 20 characters in length. If more Which? members formally complain to Halifax, maybe they will finally get the message.

Could Which? open a complaint with one of the regulatory agencies?

My bank (NatWest) asks me to install and use Rapport software to improve security. The problem is that it turns a fast computer into a very slow one. It simply is not a practical solution.

I’ve been using Rapport at the behest of my bank for years, I’ve not noticed on too many occasions that it causes a problem.

It is a very well established problem for users of Apple computers.

Well Rapport is an IBM product (according to my process monitor) so I’m not surprised

Trusteer Rapport is now owned by IBM, though that is fairly recent.

My plan was to update an old laptop to the latest OS, install Rapport and use this just for online banking. Unfortunately, my antivirus software was incompatible with the current version of OSX.

I will have another go with Rapport but I don’t hold out much hope that it will have improved.

“This is really, really important. No really! Every time an update comes along, install them.”

This sounds like double standards to me as a few months ago when XP ended support the WhichConvo Twitter account kept RTing people who says you do not need to upgrade from XP, even tho the support was now finished and it was now classed as a risk.

Hello Lee, the opinions we RT are not necessarily backed by us at Which?. We RT differing opinions to kickstart a debate. Our official advice on upgrading from XP is here: http://blogs.which.co.uk/technology/windows-8/windows-xp-support-ends-your-options-and-how-to-keep-your-files/ Also, this is a guest post from Ken who is an ethical hacker and does not work for Which?. Thanks

I remember the XP RTs as I got myself into a little bit of a twitter argument with someone else and 99% of the RTs did state that it was fine to carry on using XP when in-fact there is a risk.

I love a good healthy debate Patrick as you know, but i feel which should RT both sides. Not just one.

That’s always our intention Lee, sorry if that wasn’t the case back then.

Ken says that most home users use Internet Explorer. Is that true, in 2014?

If not home users then certainly business and government at all levels.

I think this is because it is easier for these organisations to carry out routine updating of multiple networked machines. My point relates only to home users.

I am concerned that there is a concerted attempt to tell people that computers are safe – if used correctly. My take is that if some one wants to corrupt your computer they very probably can and there is not a lot you can do about it.

It is really a numbers game in the sense if you are unlucky or go to an infected site you can suffer. You can certainly minimise greatly the risk by using a specific computer solely for your brief banking transactions and keeping it off-line and closed. However compared to using a telephone with a top-rated Bank I think computers and smartphones are inherently crackable.

As we are all probably aware the NSA and other organisations have the ability to compromise most phones and computers. To believe the black hats cannot also do it is probably wishful thinking. All we can do is make it as difficult as we can for lower grade crookery.

I get daily emails from The Register and CBR and reading is grim.


And these are but two examples of many this year of what is going on in a area where we the general public are blissfully unaware how good hacking can be.

Online banking is cheap for the banks in comparison to maintaining a branch network, and end users prefer the convenience so its not going away. As long as you aren’t negligent the banks will refund any losses but I just feel telling people not to write down long complex passwords (even when using encryption software) is unfair on the end user.

Sure Which readers will be aware of most online banking scams, but this is one which I’ve not heard of before involving weaknesses more with the phone network than with the bank – http://www.theguardian.com/money/2014/may/30/halifax-lloyds-banking-online-security-hacker

Interesting article. However despite its strength on the mechanics of the telephone trickery it is amazingly lacking in curiosity – ” It emerged that his online bank account had been hacked and an Isa moved into his current account. The hackers then tried to take the £7,200 by a money transfer.”

Somehow you would think that really requires some explanation also.

Having worked in many jobs including call centres and Bank branches I am very concious that call centre staff can have access to systems that allow them to accumulate information that in itself is not top value but it does from a useful base. The turnover in staff at call centres is generally very high so the odds on a situation where you put somebody elses Bank account number on a mates utility account must be relatively easy.

Most people are not crooks but systems tend to be built for cheap operational results and in my experience making them safe from corruption is not even a glimmer of an idea.

BTW I am having problems with Virginmedia who casually during a long call suggested I enter a site “rescue” something. This actually gives the Virginmedia operative access to your computer and having confirmed this was her purpose I refused with much indignation. I suspect it works with a considerable number of less experienced users.


“Having worked in many jobs including call centres and Bank branches I am very concious that call centre staff can have access to systems that allow them to accumulate information that in itself is not top value but it does from a useful base”

Its for this exact reason my memorable information (dates, first pet names, first employer) is all completely made up and different between the different banks. For example, I’ll tell Natwest my first pets name was Charlie but I’ll tell HSBC my first pets name was Baxter. My reasoning been if I had the misfortune of a bank worker at one company getting my details, they couldn’t try those details with other banks. I also change the memorable info after speaking to a member of staff for this reason.

This is probably overkill on my part but this is all caused by the banks and their stupid policies.

Sandra Shearn says:
20 September 2014

Re remembering passwords: I have in my head a particular phrase which is not written down anywhere but is easy to remember (musical theme). I use the first letter of each word and simply change a 3 digit number at the end for each organisation. I do have the numbers written down but they will be of no help to anyone who might come across them. Not, I should say, my idea but one I came across years ago on the Internet.

J Singh says:
20 September 2014

More of a question for the ethical hacker.
Where does VPN fit in with this? Would I be even safer if using some good anti-virus suite ALONG with commercially-available VPN?

Maria Dale says:
20 September 2014

I have had to have two new bank cards this year, as my account had been compromised. On both occasions the Co-op bank picked up the potential fraud. I now have a second bank account with another provider in case it happens again. It is very inconvenient to have no bank card and have to visit a branch to get cash whilst waiting for a new card, but otherwise the co-op did a great job detecting the fraud on my account. I have their recommended “spyware” installed on my laptop and other security software and it has not happened again since.

I would like to understand why the use of forward and back buttons should log me out and why it is so risky. This is not explained.
The lack of a back button on ipads I find intensely irritating so I use Android products.We have all mistyped something or wish to refer to a previous screen. Its natural computing behaviour, surely?
The fact that two of the UK’s biggest banks- HSBC and Lloyds , do not have an auto log out , either suggests an incredible complacency on their part or the analysis of Which? is flawed or the banks have further security that is not disclosed.
I have to be very dubious about an online password vault. Surely that is hackable and leaves one with a complete identity fraud open goal. Isn’t a pen and paper better? How safe are password vaults? I’d never even heard of them until I read this article and I think I’m reasonably internet savvy. If they are that good, they deserve much greater Which? exposure and discussion

spencer says:
27 December 2014

HAcker don’t need your password for hack your account

13 February 2018

[Sorry, your comment has been deleted for breaching Community Guidelines. https://conversation.which.co.uk/commenting-guidelines/ Thanks, mods.]