Starling’s new online banking found most-secure in Which? study

By Oliver Smith on Thursday 7 January 2021

Digital Banking

While “worrying gaps” found at banks like Santander, Tesco Bank and TSB.

Starling’s new online banking found most-secure in Which? study
Image source: Starling Bank.

Security researchers commissioned by consumer group Which? have ranked Starling Bank’s recently-launched online banking service as the most secure among the UK’s 13 leading banks.

Which? gave Starling an 85 per cent security test score based on the findings of researchers at 6point6, with Barclays, First Direct and HSBC following close behind at 78 per cent.

One of the reasons Starling ranked so highly is that somebody can only change the most sensitive data via its app. Starling’s online banking offering remains somewhat limited, albeit while following best industry practice for online security.

At the other end of the spectrum, 6point6 found “worrying gaps” in Santander, Tesco Bank and TSB’s online banking security, the three worst-performing banks of the study.

Issues ranged from missing security headers on webpages, weaker encryption, failing to block testers from logging in from multiple networks, and failing to log out testers.

All three banks defended their security; a Tesco Bank spokesperson said it was a “top priority” and that the bank has “robust security measures in place to protect [customers] and their money.”

A Santander spokesperson pointed to the various ‘back end’ security measures not included in the Which? review and said: “Santander takes online security very seriously and we invest a great deal in cybersecurity and fraud prevention and ensuring we protect our customers’ money and data safely and effectively.”

While mobile apps were not a core focus of the study, 6point6 did take a look at each provider’s app, focusing on the ability to run apps on emulated or rooted devices.

Monzo, Nationwide and TSB all failed to detect whether their apps were running on an emulator or rooted device, often used by fraudsters to detect vulnerabilities or get around a smartphone’s restrictions.

Monzo disagreed that this was a security issue and argued that many other banks’ root or emulator detection could be unreliable.

“Banks must lead the battle against fraud, yet our security tests have revealed a big gap between the best and worst providers when it comes to keeping people safe from the threat of having their account compromised,” said Harry Rose, editor of Which? Magazine.

“The serious failings we have exposed with some providers reinforce the need for banks to up their game on scam protections, and for greater transparency and stronger standards on fraud reimbursement to be made mandatory for all banks and payment providers.”

Sign up for our newsletters


Your daily 7am download of all things alternative finance and fintech.

Fintech and alternative finance headlines with an exclusive Editor's Note each week. Delivered Monday at midday.