List of UK banks that are “secure by default”

By Stephen Kellett
13 December, 2017

Not the usual software post today. Something about website security, because that affects everyone. In particular I’m going to talk about the security of online banks and related organisations.

This post has been updated since I first wrote it. 3 banks have been added.

Natwest Online Banking

Two days ago I became aware that National Westminster Bank Plc’s website was not secure. The bits that do the online banking are secure, but the main website, which links to the secure bit, that isn’t secure. This is important because if the non-secure bits get compromised, by a man-in-the-middle attack, or by scripts injected into the site by your ISP then that can provide a means for compromising the access to the secure part of the website.

This important because although your bank may say go to this special page to login, that isn’t how people work. People remember the easy bit (the company name, say “Natwest” in this case), go to that website and then navigate from there to get to the login page. Because of this the whole site needs to be secure.

I raised this with Natwest via twitter, whose customer support team didn’t understand the issue. Which is understandable. I chained Troy Hunt in on the discussion, as he is a well known security researcher. A few hours later this all blew up on twitter and my notifications just became a blur as lots of people effectively told Natwest they were wrong. As I write this, it is still going strong.

One respondent even produced a video showing you a simulation of how this could be done. It’s not the same because he’s modifying his own page in the browser, but it is equivalent in many respects to how a man-in-the-middle-attack would work and is useful for non technical people to understand. His video is in this tweet. Scott Helme went a step further and created a video of the secure Natwest web page loading without any security, because the security had been removed.

Troy Hunt has written up a detailed post on the technical side of this.

Is it only Natwest?

I thought it would be interesting to look at each bank in the UK to see if when you visit their company homepage, is that secure by default? That is, is the page loaded by HTTPS? There are more tests than this that you could do, but that’s the baseline. If they can’t meet that then the other tests are meaningless.

Some banks provide the website in both http and https versions. This is bad practice. If someone visits the website as http then the customer should be served the https version of the page.

Also please note, these test results are for a desktop computer visiting the website. A mobile phone may well get a different experience. In other words desktop visitors may get a secure site, but mobile visitors might not. Or vice versa.

The results list the bank name, if the home page is secure or not and the URL of the page deemed to be the home page for the test.

The following key is used for the secure status:

YesThe site is secure, loaded via https
DualThe site can be loaded via http, or via https.
InvalidThe site loads via https, but the security certificate is invalid and thus the site is insecure.
PartialThe site loads via https, but loads some parts of the page without https. The site is insecure.
NoThe site is loaded via http, not via https.
FixedThe site is loaded via https, but at the time of first writing it was loaded via http.
??We could not find a website to evaluate.

Where possible we’ve tried to identify the appropriate home page (or equivalent) for each bank. In a few occasions that wasn’t possible to do.

We tested 163 UK banks. We found 60 banks that did not have a secure home page (not https or did have https with an invalid security certificate). That is 37% of UK banks have security vulnerabilities. Since publishing this article, 6 banks have responded by fixing their security.

BankSecureHome Page
Abbey National Treasury Services PlcYeshttps://www.santander.co.uk/uk/about-santander-uk/investor-relations/abbey-national-treasury-services-plc
ABC International Bank PlcYeshttps://www.bank-abc.com/world/ABCIB/en/Pages/default.aspx
Access Bank UK LimitedYeshttps://www.theaccessbankukltd.co.uk/
Adam & Company PlcYeshttps://www.adambank.com/
ADIB (UK) LtdNohttp://www.adib.co.uk/en/Pages/default.aspx
Ahli United Bank (UK) PLCNohttp://www.ahliunited.com/
AIB Group (UK) PlcYeshttps://group.aib.ie/
Airdrie Savings BankYeshttps://airdriesavingsbank.com/
Al Rayan Bank PLCYeshttps://www.alrayanbank.co.uk/
Aldermore Bank PlcYeshttps://www.aldermore.co.uk/
Alliance Trust Savings LimitedNohttp://www.alliancetrustsavings.co.uk/
Alpha Bank London LimitedNohttp://www.alpha-bank.uk/
ANZ Bank (Europe) LimitedYeshttps://www.anz.com/unitedkingdom/en/personal/
Arbuthnot Latham & Co LimitedNohttp://www.arbuthnotlatham.co.uk/
Atom Bank PLCYeshttps://www.atombank.co.uk/
Axis Bank UK LimitedYeshttps://www.onlineaxisbankuk.co.uk
Bank and Clients PLCNohttp://www.bankandclients.com/
Bank Leumi (UK) plcNohttp://www.bankleumi.co.uk/
Bank Mandiri (Europe) LimitedNohttp://www.bkmandiri.co.uk/
Bank of America Merrill Lynch International LimitedYeshttps://www.bofaml.com/content/boaml/en_us/home.html
Bank of BarodaYeshttps://www.bankofbaroda.com/
Bank of Beirut (UK) LtdNohttps://www.bankofbeirut.co.uk
Bank of Ceylon (UK) LtdNohttp://www.bankofceylon.co.uk/
Bank of China (UK) LtdNohttp://www.bankofchina.com/uk/
Bank of Communications (UK)Nohttp://www.uk.bankcomm.com/BankCommSite/shtml/ygzh/en/8848/list.shtml?channelId=8848
Bank of Cyprus UK LimitedNohttp://www.bankofcyprus.co.uk/
Bank of IndiaNohttp://www.bankofindia.co.in/english/home.aspx
Bank of Ireland (UK) PlcInvalidhttps://bankofirelanduk.com/
Bank of London and The Middle East plcYeshttps://www.blme.com/
Bank of New York Mellon (International) LimitedYeshttps://www.bnymellon.com/uk/en/index.jsp
Bank of Scotland plcYeshttps://www.bankofscotland.co.uk/
Bank of the Philippine Islands (Europe)Yeshttps://www.bpiexpressonline.com/p/0/165/bpi-europe
Bank Saderat PlcNohttp://www.saderat-plc.com/
Bank Sepah International PlcYeshttps://www.banksepah.co.uk/
Barclays Bank PlcYeshttps://www.barclays.co.uk/
BFC Exchange LtdYeshttps://www.bfcexchange.co.uk/
BIRA Bank LtdYeshttps://bira.co.uk/services/bank/
BMCE Bank International plcNohttp://www.bmce-intl.co.uk/disclaimer.html
British Arab Commercial Bank PlcYeshttps://www.bacb.co.uk/
Brown Shipley & Co LimitedYeshttps://www.brownshipley.com/
C Hoare & CoYeshttps://www.hoaresbank.co.uk/
CAF Bank LtdYeshttps://secure.cafbank.org/
Cambridge & Counties Bank LimitedYeshttps://ccbank.co.uk/
Cater Allen LimitedYeshttps://www.caterallen.co.uk/
Charity Bank LimitedYeshttps://charitybank.org/
Charter Court Financial Services LimitedNohttp://www.chartercourtfs.co.uk/
China Construction Bank (London) LimitedNohttp://www.uk.ccb.com/london/en/index.html
CIBC World Markets PlcNohttp://www.cibcwm.com/cibc-eportal-web/portal/wm?pageId=home&language=en_CA
ClearBank LtdYeshttps://www.clear.bank/
Close Brothers LimitedYeshttps://www.closebrothers.com/
Clydesdale Bank Plc CYBG plcNohttp://www.cybg.com/
Co-operative Bank PlcDualhttp://www.co-operativebank.co.uk/
Coutts & CompanyYeshttps://www.coutts.com/
Credit Suisse (UK) LimitedYeshttps://www.credit-suisse.com/uk/en.html
Credit Suisse International Credit SuisseYeshttps://www.credit-suisse.com/uk/en/investment-banking/financial-regulatory/international.html
Crown Agents Bank LimitedNohttp://www.crownagentsbank.com/
DB UK Bank LimitedYeshttps://www.db.com/unitedkingdom/
Diamond Bank (UK) PlcYeshttps://diamondbankukplc.com/
Duncan Lawrie LimitedNohttp://www.camellia.plc.uk/duncan-lawrie
EFG Private Bank LimitedYeshttps://www.efgl.com/
Europe Arab Bank plcYeshttps://www.eabplc.com/
First DirectNohttp://www1.firstdirect.com/1/2/
FBN Bank (UK) LtdNohttp://www.fbnbank.co.uk/
FCE Bank PlcNohttp://www.fcebank.com/
FCMB Bank (UK) LimitedYeshttps://www.fcmbuk.com/
Gatehouse Bank PlcNohttp://www.gatehousebank.com/
GE Capital Bank Limited GE CapitalNohttp://www.gecapital.co.uk/en/
Ghana International Bank PlcNohttp://www.ghanabank.co.uk/
Goldman Sachs International BankNohttp://www.goldmansachs.com/
Guaranty Trust Bank (UK) LimitedYeshttps://www.gtbankuk.com/
Gulf International Bank (UK) LimitedYeshttps://www.gib.com/
Habib Bank Zurich PlcNohttp://www.habibbank.com/uk/home/ukHome.html
Habibsons Bank LimitedNohttp://habibbankuk.com/
HalifaxFixedhttp://www.halifax.co.uk/
Hampden & Co PlcYeshttps://www.hampdenandco.com/
Hampshire Trust Bank PlcYeshttps://www.htb.co.uk/
Harrods Bank LtdYeshttps://www.harrodsbank.co.uk/
Havin Bank LtdNohttp://www.havanaintbank.co.uk/
HSBC Bank PlcYeshttps://www.hsbc.co.uk/1/2/
HSBC Private Bank (UK) LimitedYeshttps://www.hsbcprivatebank.com/en
HSBC Trust Company (UK) Ltd??
ICBC (London) plcNohttp://www.icbclondon.com/icbc/%E6%B5%B7%E5%A4%96%E5%88%86%E8%A1%8C/%E5%B7%A5%E9%93%B6%E4%BC%A6%E6%95%A6%E7%BD%91%E7%AB%99/en/
ICBC Standard Bank PlcYeshttps://www.icbcstandardbank.com/CorporateSite
ICICI Bank UK PlcNohttp://www.icicibank.co.uk/
Investec Bank PLCYeshttps://www.investec.com/en_gb.html
Itau BBA International PLCYeshttps://www.itau.com.br/itaubba-en
J.P. Morgan Europe LimitedYeshttps://www.jpmorgan.com/country/GB/en/jpmorgan
J.P. Morgan International Bank Limited??
J.P. Morgan Securities plcYeshttps://www.jpmorgansecurities.com/
Jordan International Bank PlcNohttp://www.jordanbank.co.uk/
Julian Hodge Bank LimitedYeshttps://www.hodgebank.co.uk/
Kexim Bank (UK) LtdNohttp://srssprojects.in/aboutus.html
Kingdom Bank LtdYeshttps://www.kingdom.bank/
Kleinwort Benson Bank LtdYeshttps://www.kleinworthambros.com/en/
Kookmin Bank International LimitedYeshttps://www.kbfg.com/Eng/
Lloyds Bank PlcYeshttps://www.lloydsbank.com/
Lloyds Bank Private Banking LimitedFixedhttp://www.lloydsbank.com/private-banking/home.asp
Lloyds Banking GroupNohttp://www.lloydsbankinggroup.com/
Macquarie Bank International LtdYeshttps://www.macquarie.com/uk/corporate
Marks & Spencer Financial Services PlcYeshttps://bank.marksandspencer.com/
Masthaven Bank LimitedYeshttps://www.masthaven.co.uk/
Melli Bank plcNohttp://www.mellibank.com/
Methodist Chapel Aid LimitedYeshttps://www.mcafundingforchurches.co.uk/
Metro Bank PLCYeshttps://www.metrobankonline.co.uk/
Mizuho International PlcYeshttps://www.mizuho-emea.com/
Monzo Bank LtdYeshttps://monzo.com/
Morgan Stanley Bank International LimitedYeshttps://www.morganstanley.com/
National Bank of Egypt (UK) LimitedNohttp://www.nbeuk.com/
National Bank of Kuwait (International) PlcYeshttps://nbk.com/
National Westminster Bank PlcFixedhttp://personal.natwest.com/
Natwest InternationalFixedhttp://www.natwestinternational.com/nw/personal-banking.ashx
Nationwide Building SocietyYeshttps://www.nationwide.co.uk/
Nomura Bank International PlcNohttp://www.nomura.com/
Northern Bank LimitedNohttp://danskebank.co.uk/personal
Northern Trust Global Services LtdYeshttps://www.northerntrust.com/
OakNorth Bank LimitedYeshttps://www.oaknorth.com/
OneSavings Bank PlcNohttp://www.osb.co.uk/
Paragon Bank PlcYeshttps://www.paragonbank.co.uk/
PCF Group Holdings LtdYeshttps://pcf.bank/
Persia International Bank PlcNohttp://persiabank.co.uk/
Philippine National Bank (Europe) PlcNohttp://www.pnb.com.ph/europe/
Punjab National Bank (International) LimitedYeshttps://www.pnbint.com/
QIB (UK) PlcYeshttps://www.qib-uk.com/en/index.aspx
R. Raphael & Sons PlcYeshttps://www.raphaelsbank.com/
Rathbone Investment Management LimitedYeshttps://www.rathbones.com/
RBC Europe LimitedNohttp://www.rbc.com/contactus/rbc_europe.html
Reliance Bank LtdNohttp://www.reliancebankltd.com/
RevolutYeshttps://www.revolut.com/?lang=en
Royal Bank of Scotland PlcNohttp://personal.rbs.co.uk/personal.html
Sainsbury’s Bank PlcYeshttps://www.sainsburysbank.co.uk/
Santander UK PlcYeshttps://www.santander.co.uk/uk/index
Schroder & Co LtdNohttp://www.schroders.com/
Scotiabank Europe PlcNohttp://www.scotiabank.com/global/en/0,,6182,00.html
Scottish Widows Bank PlcNohttp://www.scottishwidows.co.uk/bank/
Secure Trust Bank PlcYeshttps://www.securetrustbank.com/
SG Hambros Bank LimitedYeshttps://www.societegenerale.co.uk/en/worldwide-details/office/head-office/
Shawbrook Bank LimitedYeshttps://www.shawbrook.co.uk/
Smith & Williamson Investment Services LimitedNohttp://smithandwilliamson.com/
Sonali Bank (UK) LimitedNohttp://www.sonali-bank.com/
Standard Chartered BankYeshttps://www.sc.com/en/
Starling Bank LimitedYeshttps://www.starlingbank.com/
State Bank of IndiaYeshttps://www.onlinesbi.com/
Sumitomo Mitsui Banking Corporation Europe LimitedYeshttps://www.smbcgroup.com/emea/info/smbce
Tandem Bank LimitedYeshttps://www.tandem.co.uk/
TD Bank Europe LimitedYeshttps://www.td.com/about-tdbfg/our-business/index.jsp
Tesco Personal Finance PlcNohttp://www.tescobank.com/
TSB Bank plcYeshttps://www.tsb.co.uk/personal/
Turkish Bank (UK) LtdYeshttps://www.turkishbank.co.uk/
UBS LimitedYeshttps://www.ubs.com/uk/en.html
Ulster Bank LtdFixedhttp://digital.ulsterbank.co.uk/
Union Bank of India (UK) LimitedYeshttps://www.unionbankofindiauk.co.uk/
Union Bank UK PlcYeshttps://www.unionbankuk.co.uk/netbanking/
United National Bank LimitedYeshttps://www.ubluk.com/
United Trust Bank LimitedYeshttps://www.utbank.co.uk/
Unity Trust Bank PlcYeshttps://www.unity.co.uk/
Vanquis Bank LimitedYeshttps://www.vanquis.co.uk/
Virgin Money plcYeshttps://uk.virginmoney.com/virgin/
VTB Capital plcYeshttps://www.vtbcapital.com/
Weatherbys Bank LimitedYeshttps://www.weatherbys.bank/
Wesleyan Bank LimitedYeshttps://www.wesleyan.co.uk/wesleyan-bank/
Westpac Europe LtdYeshttps://www.westpac.com.au/about-westpac/global-locations/westpac-uk/
Wyelands Bank PlcYeshttps://www.wyelandsbank.co.uk/
Zenith Bank (UK) LimitedNohttp://www.zenith-bank.co.uk/

An earlier version of this post also commented on Building Societies. That data has been moved to a separate post to make examining the data easier.

Commentary

From the above, we’re only commenting on the security of the home page. It’s possible that secure pages link to non-secure pages and also possible that non-secure pages link to secure pages. Either is not good. All pages in a bank should be secure. If in doubt, follow the link to the bank yourself and make your own judgement. We list the above for your information, not to endorse a particular bank or to discredit a particular bank. Although that said, you should have a serious chat with your bank if it is listed above and is not secure.

Of the banks above, Airdrie Savings Bank stands out. It is no longer in business and yet it still provides a secure website.

Axis Bank UK Limited had two websites. One had a 2014 copyright date, the other 2017. We tested the 2017 website.

Ulster Bank had multiple websites. One was secure. One was not. The non-secure website was the first listing in a Google search.

Lloyds bank is worrying. The home page was secure, but the private banking page was not secure, but had a link to the standard log in page. Not good.

The Co-operative bank provides both http and https versions of it site. Mobile users only get the http version (tested on Android). On the desktop customers can either http or https. This needs to be fixed. https only should be served to desktop and mobile visitors.

The Bank of England passes this test, but you can’t have an account there, so we haven’t included it in our test results.

If you find any mistakes, or have additional institutions you’d like me to look at, please get in touch. @softwareverify on twitter or email customer support.

Additional Reading

If you want to know more about securing your website with HTTPS and additional measures, read this excellent article on the 6 step happy path to HTTPS by Troy Hunt.

Reference list of banks. https://en.wikipedia.org/wiki/List_of_banks_in_the_United_Kingdom

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

Fully functional, free for 30 days