HSBC Praised for Cybersecurity While Monzo and Metro Bank's Defences Found Lacking

Despite a worsening epidemic of cyber fraud, some banks are still neglecting their digital defences, allowing customers to choose insecure passwords and failing to keep website protections up to date.

That’s according to Which?’s annual banking security investigation. Aided by online security experts 6point6, the consumer magazine tested the armour on online banking portals and mobile apps, finding weaknesses on many that could be exploited by con artists. It also found a huge gulf between the security performance of our banks, with some consumers left more exposed to fraud than others.

Although internet defences are more sophisticated than ever before, so are criminals. In the first half of 2021, internet banking fraud was up 97% to 42,000 cases, with Britons losing a record £108.9 million. Which? is urging banks to “up their game" to tackle this fraud.

Its investigation rated the front-end security of 15 current account providers, rating them on their website encryption and protection, login security, account management, and navigation. 

HSBC won the league, with a score of 81%. It was the only bank to score five stars for both website encryption and account management. It was boosted by its use of the latest encryption standards, creating cyphers that are harder for a cybercriminal to crack. 

One shortcoming was that HSBC lets you choose passwords that include your first name and/or surname. Five other banks—NatWest, Santander, Starling, The Co-operative Bank, and Virgin Money—also permit this. Santander said the use of names in passwords was being phased out, and NatWest and Virgin Money, when alerted, said they might upgrade password restrictions.

Ethical bank Triodos allows even more crackable passwords, including “password,” “1234567,” and “admin.” It requires two-factor authentification at login, using its physical Digipass device. But that’s “no excuse” for allowing such weak passwords, Which? said.

HSBC division First Direct boasts similar defences to its parent company. It was also rated the top bank for its mobile app, with a score of 77% and five-star ratings for encryption and account management.

But First Direct’s overall score was dented by the use of an exposed subdomain on its website, which could enable hackers to launch a brute force attack. First Direct remedied the problem after Which? and 6point6 reported it.

The analysis flagged another issue with First Direct. 6point6 was able to log in to a test account from two different computer networks simultaneously. The account also stayed logged in when they navigated to a different website, used the back button, and refreshed the page. Those sessions all timed out after five minutes of inactivity, but other banks require you to log in again, which is more secure.

A spokesperson for HSBC UK and First Direct said: “We deploy advanced cybersecurity controls and identify and respond to threats in a timely manner to ensure a seamless customer experience. We take on board customer feedback and are constantly reviewing and enhancing security measures.”

On the other end of the spectrum, digital bank Monzo had the lowest-rated app by “some margin.” It was the only app that doesn’t ask you to log in every time you use it. The startup said this was a “conscious design decision to strike a balance between risk and customer experience.”

A hacker would need to bypass security checks to transfer money but Which? doesn’t believe an open app is “the right approach for a bank.”

Which? also doesn’t think Monzo’s requirement that users enter their debit card PINs to authenticate some changes and charges is adequate. After three unsuccessful PIN attempts, Monzo does requires a selfie video and photo ID to proceed, but Which? believes an app-specific password would be better.

The £3.3 billion startup “strongly disagree[s] with [Which?’s] assessment.”

”Given every sensitive action or payment requires a customer to provide extra authentication in the form of a PIN or biometrics, the risk associated with remaining logged into the Monzo app is extremely low. We take security incredibly seriously and focus on policies and practices that we consider to be safest for Monzo customers,” a Monzo spokesperson.

Metro Bank (score of 53%) received the lowest score for its online defences, followed by Virgin Money (56%) and TSB (59%).

6point6 identified vulnerable subdomains on Metro Bank’s website. These were found to be lacking two important security headers, which strengthen defences in web browsers.

A spokesperson for Metro Bank said: “We take our customers’ security extremely seriously and have a range of safeguards in place across all channels to help defend them against fraud. As well as the controls which are visible, we have controls in the background which support our customer journeys and provide invisible protection. We are continually evaluating and evolving our controls to prevent fraud.”

Meanwhile, Lloyds, Nationwide, Santander, and TSB lost points because their online and mobile banking require the same login credentials.