Santander has UK's weakest online banking security - Which?

NatWest and RBS have been crowned the UK's most secure online banking providers by consumer group Which?, with Santander ranked bottom of the pile.

  6 5 comments

Santander has UK's weakest online banking security - Which?

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

With online banking fraud losses hitting £40 million last year, Which? put the Internet services of 10 providers through their paces.

NatWest/RBS scored 76% thanks to features such as the requirement to use card readers when carrying out higher risk tasks like transferring money to a new payee or changing the password.

NatWest also locked the testers out of their accounts for 10 minutes when they tried to log on from two different IP addresses at once - a measure that helps deter fraudsters from accessing accounts when the customer is already using the service.

The research shows that most banks offer a similar level of security to online customers: The Co-op and HSBC both score 72%, Barclays 71%, Norwich and Peterborough 70%, Lloyds TSB and Nationwide 69%, Smile 68% and Halifax 67%.

However, Santander managed just 47%, falling down compared with other banks in terms of how it dealt with security for logging out. The Spanish-owned bank told Which? that it has taken measures to beef up the process but has failed to allay its concerns.

In contrast, First Direct initially scored just 46% thanks to poor security when setting up a new payee but managed to placate Which? by tweaking its system.

Sponsored [Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming Mandates

Comments: (5)

A Finextra member 

"apparently weakest online banking security" would be fairer. They only assessed what's apparent to the consumer. It's not as if they ran a pen test.

A Finextra member 

It would be interesting to see the report, 74% still doesn't seem that great. What would they need to make it 100%, and if it was 100% would that make it unusable for the customer? Like every provider, I assume that Santander will be taking a pragmatic approach to security. It is often cheaper to pay back the losses than it is to upgrade the security systems. I also agree with the last comment, there are a number of things going on in the background that Which haven't discovered or commented on. .

A Finextra member 

I couldn't agree with Dave more. Pushing customers away from digital channels with security measures that create hurdles not worth crossing will make for an unviable commercial proposition for the bank. As Dave said, it can be a lot cheaper to pay back fraud loss rather than pay for for more expensive presentment and payment channels such as paper, post and cheques. If we want to move into the mobile and digital space, we have to accept fraud even if it is counterintuitive.

A Finextra member 

@Dave Barnes: if it was 100% would that make it unusable for the customer

Exactly. And all for an increase in perceived, not necessarily actual, security.

Uri Rivner

Uri Rivner CEO and Co-Founder at Refine Intelligence

Agree with the comments. I recently blogged about this... 

https://www.finextra.com/blogs/fullblog.aspx?blogid=8133

Bottom line: security must be balanced with usability, otherwise it defeats its purpose. Having too much security is like having a car with breaks that won't let you move much. You'll say thank you very much, and just pick up another car. I call it 'choosing the path of least security' which is our human nature, as opposed to the implied conclusion in the WHICH report which is that people appreciate security much more than they appreciate ease of use. 

[Webinar] Reaping the benefits of Hyper-Personalisation with AI and Application ModernisationFinextra Promoted[On-Demand Webinar] Reaping the benefits of Hyper-Personalisation with AI and Application Modernisation