Top UK Banks Aren't Using the Latest Tech to Secure Transactions

Major UK banks have been slow to enforce the finance industry's recommended browser security requirements, but doing so could lock older devices out of their sites
The UK's biggest banks aren't using current web technologies to help ensure online banking transactions are secure, according to new research. Top financial groups – including TSB, HSBC, and Nationwide Building Society – haven't yet updated their websites to use the encryption standards required by the banking industry.
In total, 14 banks allow people to access their websites with browsers using old and potentially insecure versions of encryption. The results come following an assessment of 25 UK banks and building societies by Swansea University computer science student Edward Wall.
Wall's analysis gives each bank a score out of 100 for the technical security measures of its website. Santander and Virgin money top the research with 53, while Co-operative Bank and Smile are at the bottom with scores of 12. The scores don't mean user data is exposed or the websites suffer any current security vulnerabilities but rather highlight areas where security best practices aren't being followed.
Of those banks, 14 banks haven't upgraded their websites to enforce the use of current TLS (Transport Layer Security) cryptographic handshake protocols. This is required by the latest encryption standards demanded by the banking industry's Payment Card Industry Data Security Standard (PCI DSS).
According to the standard, issued by the Payment Card Industry Security Standards Council, businesses accepting card payments were requied to use TLS 1.1 by June 30, 2018. Although card issuing banks aren't required to obtain PCI DSS validation, they are expected to meet the same security standards as processors and merchants.
Older versions of TLS and SSL suffer security vulnerabilities including Heartbleed, POODLE, and BEAST, which can facilitate data-intercapting man-in-the-middle attacks.
It's people running older operating systems and browsers who are most vulnerable to attacks that can fly under the radar if modern TLS protocols aren't enforced by sites. TLS 1.1 was introduced in 2006, but it took a long time for many web browsers to introduce it by default. Statcounter web analytics data indicates that 1.17 per cent of computer users going online in the UK are still on Windows XP and 0.99 per cent are using Vista, and are very likely to be using older browsers that don't support TLS 1.1.
Based on current internet usage statistics the problem could affect around a million adults in the UK.
The browsers built into older versions of Android (pre 4.1) and iOS (pre 4.0) also lack TLS 1.1 support. Allowing users to connect from less secure systems puts them at risk of man-in-the-middle attacks. Unfortunately, bank customers using old phones and browsers are disproportionately likely to be elderly, impoverished or otherwise not in a position to easily upgrade their hardware or even software.
The 14 banks Wall's tests detected as not using the latest encryption protocols are the Bank of Scotland, TSB, Halifax, Tesco Bank, Lloyds Bank, Nationwide Building Society, HSBC, M&S Bank, Sainsbury's Bank, Barclays, Scottish Widows, Yorkshire Building Society, First Direct, Co-operative Bank and Smile.
When we discussed Wall's findings with the Co-operative Bank, a spokesperson said that while its login pages can be accessed by browsers that don't use TLS 1.2, its online banking services aren't available to them:
"The Co-operative Bank is currently meeting the requirements of the recent Payment Card Industry Data Security Standards(PCI DSS) guidelines to disable TLSv1.0. Although customers can land on the bank's site using older browsers (TLSv1.0 or older), they are not able to transact and essentially get an error message."
The reasoning behind this is that it will allow the bank to see how many users are currently trying to access bank services from older browsers: "The bank, like others is taking a phased approach to disable the support for older browsers and we are actively monitoring the volume of customers reaching us via older browsers to identify if any specific customer communications are required. At the end of the phased process, older browser access will be fully disabled and no longer supported."
This is keeping with behaviour we've seen from a number of other banks, such as HSBC, which allowed us to log into an account from a number of older browsers, but failed to display its online banking services. However, such behaviour raises questions about the security of login data sent to those pages by online banking customers with outdated software.
While none of the online banking sites analysed by Wall suffer from any current security vulnerabilities, many of them haven't implemented a range of recommended web technologies designed to protect customers against vulnerabilities on either the user or bank's end, and some of them display harmless but irregular handling of HTTPS addresses and forwarding.
For instance, https://smile.co.uk/ fails to load the bank's website or forward to its (functional) www. prefix, noted by Avast security researchers. Meanwhile, attempting to access Scottish Widows' online banking login page via HTTP sends you to an ambiguous error page rather than correctly redirecting to the HTTPS version or even displaying a conventional error 404.
Wall's Bank Grade Security project analyses the web security technologies in use by 153 banks around the world and scores them out of 100 based on a range of factors.
These include proper redirection from insecure HTTP to secure HTTPS connections, headers to help protect against cross-site scripting (XSS) attacks such as browser extensions designed to inject malicious code to capture your online banking details when you log in, and forward secrecy to prevent banking sessions from being decrypted later if they're recorded, even if the server's private key is obtained.
The major ongoing security issue for the web in general is the continued use of HTTP (the HyperText Transport Protocol), which sends all data back and forth between your browser and the server in plain text. HTTPS (HTTP Secure) uses a protocol called TLS (or SSL in older versions) to ensure that data is encrypted, so it can't be read if someone intercepts it. While all banks have used HTTPS for many years, the way they implement it varies, with some of the best security options, such as mandatory TLS 1.2 encryption, potentially locking out users who can't run the latest web browsers.
Wall says that, while the phrase "bank-grade security" is often used to indicate a high level of protection for users, in reality, "banks have poor security". That may be something of an overstatement in most cases, but the work to analyse banking website security measures and track banks' progress in improving them shines a light on a range of legitimate security concerns.
"People trust their banks to keep them safe," he says, "and I felt that the banks were letting their customers down by putting them at risk."
Security researcher David Lodge of Pen Test Partners emphasises that users needn't panic or give up on internet banking: "Most of the factors are what we would usually raise as low-risk issues, they are concerned more with extra controls that should force communication down a secure path or tell the browser to provide more protection if there is a vulnerability, such as cross-site-scripting, in the website. They are not vulnerabilities as such, they don’t list vectors for attacks."
Although the issues Wall has highlighted don't translate to actual vulnerabilities, Lodge says that there are some significant issues in need of improvement. "Encryption is possibly the most important, in particular the section marked TLS," he says. "There have been a selection of cryptographical flaws found in the implementation and algorithms with older forms of SSL/TLS, meaning that only TLS 1.2 and 1.3 are recommended nowadays." The PCI DSS requires that the latest encryption standards are used.
Fortunately, if you're using a modern browser, it'll make sure you're connecting using the latest supported version of TLS. It's only those stuck using legacy computers or software that are exposed to any notable risk by substandard TLS implementations.
According to Bank Grade Security's statistics, only 24 per cent of all banks assessed require TLS above 1.1 and none support the most recent TLS 1.3 standard. TLS 1.3 was approved by the Internet Engineering Task Force (IETF) on March 23, 2018, and has been a sticking point for banks, who previously proposed that it be made less secure so they could more easily decrypt and monitor network traffic to comply with industry regulations.
Bitdefender global cybersecurity analyst Liviu Arsene says banks' handling of HTTPS is particularly important but that, as banking websites are those most often targeted by fraudsters and phishers, they should set in place as many security safeguards as possible.
"There’s no such thing as sufficient security, especially in the banking and financial industries, regardless [of whether] we’re talking about the internal network security [or] the institution of the security of their website," he says.
While 85 per cent of the banks analysed by Wall have a secure redirection of chain that consistently sends their customers to an HTTPS page and 79 per cent immediately send all HTTP traffic to an HTTPS site, only 47 per cent support the HSTS protections against attacks that attempt to downgrade users to the easily snoopable HTTP protocol. Just two of the 153 banks included currently support HSTS Preloading, which puts them on a list instructing browsers to use HSTS when initially connecting to their sites.
Banks should prioritise the use of trusted domain certificates, enabling HTTPS everywhere, enforcing a TLS version greater than 1.1, and using properly formatted security headers to prevent cross-site-scripting attacks, Arsene says.
Perhaps more importantly, Lodge says, as banks upgrade the sites they must ensure that the platform itself is well architected, developed and tested. They should particularly concentrate on making sure their sites are free from vulnerabilities that could affect customer data, such SQL injection or Cross-Site-Scripting. "The items in bankgradesecurity.com are important as extra protection mechanisms," he says, "but they won’t protect against every attack."
In response to the findings, a spokesperson for the Yorkshire Building Society said it was working to improve the versions of TLS it uses. "We are currently rated as an ‘A’ from a security perspective by SSL Labs," the spokesperson said.
"However, this does not mean we are complacent about developing and emerging threats. Our websites are configured to use TLS 1.2, which modern browsers will default to automatically. Older versions of TLS are currently supported and will be removed soon.”
An M&S Bank spokesperson said: "We take the security of our customers extremely seriously and use state-of-the-art technology to deter and detect financial crime." Elaborating on the technologies in use, they said: “We use a variety of security measures to protect customers when banking online, including password protection and advanced encryption technology, as well as sophisticated anti-fraud monitoring. Two factor authentication and a one-time password is required to access online banking services in the form of M&S PASS, protecting our customers from fraudulent activity.”
A Tesco Bank spokesperson said: “We take the security of customer accounts extremely seriously and continually review and update our systems and processes as necessary.” Other banks did not responded to requests for comment.
If your bank hasn't yet implemented the latest web security technologies, Wall says there isn't much an individual can do. Banks have to make changes to their sites, but could be encouraged to do so if their customers highlight issues that concern them. In the meantime, it's important to ensure that your own online security practices are sound.
"Most banking malware tries to steal credentials or perform e-banking operations stealthily on their behalf," Liviu Arsene says. "Some security solutions even offer secure browsers that cannot be compromised by malware and also validate that the visited e-banking website is actually legitimate, and not some sort of elaborate fraud. Since attackers usually go for the end user instead of the actual bank – or sometimes eavesdrop on the communication between the two if it’s not properly secured – it’s the responsibility of both parties to ensure security at their end."
Source: wired

Latest Jobs
-
- Account Manager - IT Services
- Germany
- €90000 plus OTE and Car
-
Are you a deal closer with a hunter mindset? Do you know how to uncover business pain points, and turn them into long-term digital transformation partnerships? Our Client are growing their sales force across Germany and looking for an ambitious, straight-talking Account Manager to take the lead on new client acquisition. You’ll focus on mid-sized to large enterprises across Germany helping to shape their digital future with tailored IT solutions in Workplace, Cloud, and Security. • Drive Growth: Own the full sales cycle for new business across your region. • Solution Sell: Build bespoke offers in Security, Digital Workplace and Cloud solutions • Build Relationships: Establish a solid pipeline through smart prospecting, marketing-driven leads, and your own network. • Represent a brand known for trust, delivery, and tech excellence—with 4,000 employees globally and a growing team within Germany. What You Bring • Proven new logo sales experience in the IT services space (not hardware!) • Deep knowledge in one or more of: Cybersecurity, Digital Workplace, or Cloud • Confidence to lead enterprise deals and pitch directly to senior stakeholders • Fluent German and good English skills Sind Sie ein Abschlussprofi mit Hunter-Mentalität? Wissen Sie, wie man geschäftliche Pain Points identifiziert und in langfristige Partnerschaften zur digitalen Transformation verwandelt? Unser Kunde baut derzeit sein Vertriebsteam in ganz Deutschland aus und sucht eine ambitionierte, ehrliche Persönlichkeit als Account Manager, die den Lead bei der Neukundengewinnung übernimmt. Ihr Fokus liegt auf mittelständischen bis großen Unternehmen in Deutschland, denen Sie mit maßgeschneiderten IT-Lösungen in den Bereichen Workplace, Cloud und Security den Weg in die digitale Zukunft ebnen. Ihre Aufgaben • Wachstum vorantreiben: Verantwortung für den gesamten Vertriebszyklus im Neugeschäft Ihrer Region. • Lösungsorientierter Vertrieb: Entwicklung individueller Angebote in den Bereichen Security, Digital Workplace und Cloud-Lösungen. • Beziehungen aufbauen: Aufbau einer stabilen Pipeline durch gezielte Ansprache, marketinggenerierte Leads und Ihr eigenes Netzwerk. • Marke repräsentieren: Werden Sie Teil eines Unternehmens mit 4.000 Mitarbeitenden weltweit und einem stark wachsenden Team in Deutschland – bekannt für Vertrauen, Verlässlichkeit und technologische Exzellenz. Was Sie mitbringen • Nachgewiesene Erfahrung in der Neukundenakquise im Bereich IT-Services (kein Hardwarevertrieb!) • Fundiertes Wissen in mindestens einem der Bereiche: Cybersecurity, Digital Workplace oder Cloud • Selbstbewusstes Auftreten im Umgang mit Enterprise-Deals und Entscheidungsträgern auf Top-Level • Verhandlungssichere Deutschkenntnisse und gute Englischkenntnisse
-
- Senior SOC Analyst Level 3. Microsoft Security stack | Ability to achieve SC Clearance
- London
- To attract the right person
-
Job Title: Senior SOC Analyst Level 3. Microsoft Security stack | Ability to achieve SC Clearance Location: Hybrid remote | London / Berkshire Overview: Senior SOC Analyst Level 3 to join a specialist Managed Security Services business. You will be responsible for advanced threat hunting / triage, incident response etc with a strong focus on the Microsoft Security Stack. Key Responsibilities: Lead and resolve complex security incidents / escalations Conduct advanced threat hunting using the Microsoft Security Stack. Build, optimise and maintain workbooks, rules, analytics etc. Correlate data across Microsoft 365 Defender, Azure Defender and Sentinel. Perform root cause analysis and post-incident reporting. Aid in mentoring and upskilling Level 1 and 2 SOC analysts. Required Skills & Experience: The ability to achieve UK Security Clearance (SC) – existing clearance ideal. (Sorry no visa applications) Current experience working with a SOC environment Microsoft Sentinel: Development and tuning of custom analytic rules. Workbook creation and dashboarding. Automation using Playbooks and SOAR integration. Kusto Query Language (KQL): Writing complex, efficient queries for advanced threat hunting and detection. Correlating data across key tables (e.g., SignInLogs, SecurityEvent, OfficeActivity, DeviceEvents). Developing custom detection rules, optimising performance, and reducing false positives. Supporting Sentinel Workbooks, Alerts, and Playbooks through advanced KQL use. Deep understanding of incident response, threat intelligence and adversary techniques (MITRE ATT&CK framework). Strong knowledge of cloud and hybrid security, particularly within Azure. Additional Requirements: Must hold or be eligible to achieve a minimum of Security Clearance (SC) level. Nice to have certifications (e.g., SC-200, AZ-500, GIAC) are desirable. Strong problem-solving and analytical skills. Excellent communication for clear documentation and team collaboration. Please follow Wheaton’s Law.
-
- New Business Sales Hunter | Cyber Security (UK Based)
- London
- To attract the right person
-
New Business Sales Hunter needed | Cybersecurity (UK Based) Are you looking for uncapped commission, a fun and sociable team that drives success with no politics? If so...You must Be UK based - and able to achieve UK SC clearance. (sorry no visas) Have a demonstrable history of sales success in Cyber Security Follow Weatons law. The role: Seeking a proven New Business Sales Hunter to join an established, successful and expanding cyber security firm. New business focused - £1m GP year one target (ramped). Sell a blend of security services & professional services. Ideal experience selling some or all of the following Cyber strategy & risk management Managed detection & response (MDR) Penetration testing Compliance & audit support You: Strong cybersecurity/IT services sales track record. Confident selling into mid-market & enterprise. UK based - London commutable 1x per week. Hunter mindset, full sales cycle ownership. Don't just send an email to apply give me a call on 07884666351
-
- CyberArk Architect
- London
- Upto £110,000 plus bonus and benefits
-
Are you ready to lead from the front and drive innovation in the Identity & Access Management (IAM) space? We’re looking for a seasoned CyberArk Architect who has CDE-CPC ideally or experience with privilege Cloud, someone who can lead with vision, execute with precision, and inspire teams to deliver excellence. As a key leader in our organisation, you’ll bring your strong business acumen and a technology-focused, innovative mindset to the table. You’ll be driving strategic initiatives, shaping transformation programs, and empowering teams to think big and deliver even bigger. Acting as a subject matter expert in CyberArk Leading strategic transformations in: Identity Governance Privileged Access Management (PAM) Access Management Customer Identity and Access Management (CIAM) Building and maintaining strong, collaborative relationships within the team Communicating clearly and confidently — both written and verbal — to deliver updates, raise potential issues, and share insights If you are interested in the above position we are looking for people with: deep expertise and a successful track record in IAM strategy, delivery, or assurance with CyberArk Hold relevant certifications such as CDE in Privileged Cloud or Guardian Have experience in a client-facing role (preferred, but not essential) Thrive in a hybrid working environment and are available to work from our or client London office three days a week Lead with clarity, communicate with impact, and adapt quickly to changing priorities