TSB Tesco Bank and Starling: the best and the worst in the security ranking for online account banking


A Scottish bank has been reported to the Financial Conduct Authority for failure to comply with the protection regulations for online banking.

The Financial Conduct Authority (FCA) has been concerned about the online banking sign-up process of Edinburgh-based TSB Bank, which, along with Edinburgh-based Tesco Bank, is the UK’s worst-performing bank in an online banking security failure investigation that could help criminals defraud customers.

Organization of products Which? It was noticed in an online banking test in September that the bank did not comply with the current “strong customer authentication” (SCA) rules implemented in March.

Ask for mandatory refunds for customers impacted by bank fraud as criticised by Scottish banks

It found that there was a violation because it was only necessary to log in to the account with the username and password and there was no second step, such as sending a passcode via SMS.

The second stage should have been part of the login process, as banks have needed it since March.

This was part of an investigation which, with the help of independent security specialists 6point6, investigated the online banking security measures of the largest checking account providers.

The investigation found that some of the biggest banks, such as Santander, Tesco Bank and TSB, have protection “worrying weaknesses” that could reveal fraud to their customers.

It is now calling for the voluntary code to be made mandatory, which compensates the victims of blameless transfer fraud.

Although online banking is a largely safe way of handling money, and this is reinforced by initiatives such as behavioral biometrics, where businesses examine the specific way you carry a fraud prevention system, the consumer organization said it is worried that the issues found by its investigation make it clear that banks should do more to “put security above all else.”

“In some of these cases, there is the potential for fraudsters to access information that could be used as building blocks for a sophisticated scam – providing a fraudster with enough sensitive information to carry out convincing scams, such as impersonating a bank employee to persuade a customer to transfer money from their bank account to a fraudulent one,” said the consumer group.

But Which? said victims of these scams – which could be focused on lax bank security measures – then suffer a “double whammy” as they signed up to last year’s “disregard” victim reimbursement obligations.

With an overall score of just 46 percent, Tesco Bank earned the worst score for online security in Which’s studies.

Researchers noticed that many security headers were missing from the bank’s web pages – these are considered important because by telling the browser how to act while interacting with the website, they protect the browser from a variety of cyberattacks.

The testers were also unable to prevent two computer networks from logging into the website at the same time. And when they switched to another website, it was found that online banking did not log customers out.

It also noticed that when they moved to another site or used the forward/back button to exit and return to the session, the site did not log consumers off.

With a ranking of 51 percent, TSB placed second.

The study found, however, that TSB customers enjoy at least some “peace of mind” thanks to the bank’s fraud refund guarantee, which guarantees that their money is returned to the vast majority of fraud victims.

Santander rounded out the bottom three, with a 62 percent score. Testers found that if a user designates a computer as “trusted.” authentication checks at login can be bypassed.

The not-so-big names were the ones who did well.

At 85 percent, Starling was the best. The experts found nothing alarming about the online banking site recently introduced by the company.

But they said this was partially due to its limited flexibility, as only confidential data can be modified by users via the app.

There were no problems with missing security headers, unlike most other banks, and the bank won top marks for encryption.

Which? is calling for the voluntary code to be updated for


Leave A Reply