Lloyds and Santander house some of the UK’s least secure online banking services despite their market shares, according to a recent Which? study.
Both banks landed in the bottom five, alongside Co-operative Bank, TSB and Tesco Bank.
The survey, conducted with cybersecurity firm 6point6 in September 2020, is based on the four key verticals.
These are login, encryption, account management, as well as navigation and logout.
Of the 16 banks and building societies tested, Starling Bank came out on top with an overall score of 85%.
“Unlike most banks, there were no issues with missing security headers and it scored top marks for encryption,” Which? said about Starling.
It’s unclear why Monzo, which has more UK customers than Starling, wasn’t also tested.
Also high up in the ranks were Barclays, First Direct and HSBC, who all scored 78%.
Lloyds & Santander
As well as these four players, Lloyds and Santander also fell behind the likes of NatWest (76%), Nationwide (74%), Metro Bank (71%), and Virgin Money (68%).
Lloyds scored just 3/5 for both login, as well as logout and navigation, security.
The report assessed login security based on how easy it is to recover usernames or passwords. Whilst the latter category was based on automatic logout time – which should be below five minutes – and the ability to login on multiple browsers.
Which? says multiple logins should always be flagged as a potential attack.
Santander scored 2/5 for logout and navigation, 3/5 for login security. The bank also scored 2/5 for account management.
This was measured by looking at how new payees are set up. “We marked them down if these [new payee alert] messages included a phone number or web link,” said Which?.
“As scammers often replicate texts and emails to trick you into calling them or entering your details on a fake website.”
The tests also found that Santander’s authentication checks could be bypassed if a user designated a device as “trusted”.
There was no option to view or “distrust” these devices, according to Which?, but the bank said it does ask for reauthorisation if it detects unusual activity.
A Santander spokesman said the bank “takes online security very seriously” and invests “a great deal in cybersecurity and fraud prevention”.
Lloyds has around 16 million UK customers. Whilst Santander says it serves 14 million.
TSB & Tesco Bank
Tesco Bank, which no longer accepts new current accounts, scored the lowest, with 46%, and TSB followed behind with 51%.
Tesco Bank has 2.6 million credit card customers, whilst total number of customers is unknown. TSB said it had around five million in 2019.
This is the second year running at the bottom of the table for TSB, which scored 50% in November 2019.
Which? said TSB was “the only bank” in its test not to be Secure Customer Authentication (SCA)-compliant.
“We’re shocked that it has been so slow to implement this protection,” the survey commented.
Last year, TSB did become the first UK bank to guarantee fraud refunds for innocent customers.
But it’s likely all UK banks will have to implement this rule soon. In December, Telegraph Money revealed that the UK’s Payment Systems Regulator is planning for this.