List of UK banks that are “secure by default”

By Stephen Kellett

13 December, 2017

Not the usual software post today. Something about website security, because that affects everyone. In particular I’m going to talk about the security of online banks and related organisations.

This post has been updated since I first wrote it. 3 banks have been added.

Natwest Online Banking

Two days ago I became aware that National Westminster Bank Plc’s website was not secure. The bits that do the online banking are secure, but the main website, which links to the secure bit, that isn’t secure. This is important because if the non-secure bits get compromised, by a man-in-the-middle attack, or by scripts injected into the site by your ISP then that can provide a means for compromising the access to the secure part of the website.

This important because although your bank may say go to this special page to login, that isn’t how people work. People remember the easy bit (the company name, say “Natwest” in this case), go to that website and then navigate from there to get to the login page. Because of this the whole site needs to be secure.

I raised this with Natwest via twitter, whose customer support team didn’t understand the issue. Which is understandable. I chained Troy Hunt in on the discussion, as he is a well known security researcher. A few hours later this all blew up on twitter and my notifications just became a blur as lots of people effectively told Natwest they were wrong. As I write this, it is still going strong.

One respondent even produced a video showing you a simulation of how this could be done. It’s not the same because he’s modifying his own page in the browser, but it is equivalent in many respects to how a man-in-the-middle-attack would work and is useful for non technical people to understand. His video is in this tweet. Scott Helme went a step further and created a video of the secure Natwest web page loading without any security, because the security had been removed.

Troy Hunt has written up a detailed post on the technical side of this.

Is it only Natwest?

I thought it would be interesting to look at each bank in the UK to see if when you visit their company homepage, is that secure by default? That is, is the page loaded by HTTPS? There are more tests than this that you could do, but that’s the baseline. If they can’t meet that then the other tests are meaningless.

Some banks provide the website in both http and https versions. This is bad practice. If someone visits the website as http then the customer should be served the https version of the page.

Also please note, these test results are for a desktop computer visiting the website. A mobile phone may well get a different experience. In other words desktop visitors may get a secure site, but mobile visitors might not. Or vice versa.

The results list the bank name, if the home page is secure or not and the URL of the page deemed to be the home page for the test.

The following key is used for the secure status:

Yes	The site is secure, loaded via https
Dual	The site can be loaded via http, or via https.
Invalid	The site loads via https, but the security certificate is invalid and thus the site is insecure.
Partial	The site loads via https, but loads some parts of the page without https. The site is insecure.
No	The site is loaded via http, not via https.
Fixed	The site is loaded via https, but at the time of first writing it was loaded via http.
??	We could not find a website to evaluate.

Where possible we’ve tried to identify the appropriate home page (or equivalent) for each bank. In a few occasions that wasn’t possible to do.

We tested 163 UK banks. We found 60 banks that did not have a secure home page (not https or did have https with an invalid security certificate). That is 37% of UK banks have security vulnerabilities. Since publishing this article, 6 banks have responded by fixing their security.

Some of the banks shown below no longer have active links. For those banks we have listed the URL but removed the non-working link.

Bank	Secure	Home Page
Abbey National Treasury Services Plc	Yes	https://www.santander.co.uk/uk/about-santander-uk/investor-relations/abbey-national-treasury-services-plc
ABC International Bank Plc	Yes	https://www.bank-abc.com/world/ABCIB/en/Pages/default.aspx
Access Bank UK Limited	Yes	https://www.theaccessbankukltd.co.uk/
Adam & Company Plc	Yes	https://www.adambank.com/
ADIB (UK) Ltd	No	http://www.adib.co.uk/en/Pages/default.aspx
Ahli United Bank (UK) PLC	No	http://www.ahliunited.com/
AIB Group (UK) Plc	Yes	https://group.aib.ie/
Airdrie Savings Bank	Yes	https://airdriesavingsbank.com/
Al Rayan Bank PLC	Yes	https://www.alrayanbank.co.uk/
Aldermore Bank Plc	Yes	https://www.aldermore.co.uk/
Alliance Trust Savings Limited	No	http://www.alliancetrustsavings.co.uk/
Alpha Bank London Limited	No	http://www.alpha-bank.uk/
ANZ Bank (Europe) Limited	Yes	https://www.anz.com/unitedkingdom/en/personal/
Arbuthnot Latham & Co Limited	No	http://www.arbuthnotlatham.co.uk/
Atom Bank PLC	Yes	https://www.atombank.co.uk/
Axis Bank UK Limited	Yes	https://www.onlineaxisbankuk.co.uk
Bank and Clients PLC	No	http://www.bankandclients.com/
Bank Leumi (UK) plc	No	http://www.bankleumi.co.uk/
Bank Mandiri (Europe) Limited	No	http://www.bkmandiri.co.uk/
Bank of America Merrill Lynch International Limited	Yes	https://www.bofaml.com/content/boaml/en_us/home.html
Bank of Baroda	Yes	https://www.bankofbaroda.com/
Bank of Beirut (UK) Ltd	No	https://www.bankofbeirut.co.uk
Bank of Ceylon (UK) Ltd	No	http://www.bankofceylon.co.uk/
Bank of China (UK) Ltd	No	http://www.bankofchina.com/uk/
Bank of Communications (UK)	No	http://www.uk.bankcomm.com/BankCommSite/shtml/ygzh/en/8848/list.shtml?channelId=8848
Bank of Cyprus UK Limited	No	http://www.bankofcyprus.co.uk/
Bank of India	No	http://www.bankofindia.co.in/english/home.aspx
Bank of Ireland (UK) Plc	Invalid	https://bankofirelanduk.com/
Bank of London and The Middle East plc	Yes	https://www.blme.com/
Bank of New York Mellon (International) Limited	Yes	https://www.bnymellon.com/uk/en/index.jsp
Bank of Scotland plc	Yes	https://www.bankofscotland.co.uk/
Bank of the Philippine Islands (Europe)	Yes	https://www.bpiexpressonline.com/p/0/165/bpi-europe
Bank Saderat Plc	No	http://www.saderat-plc.com/
Bank Sepah International Plc	Yes	https://www.banksepah.co.uk/
Barclays Bank Plc	Yes	https://www.barclays.co.uk/
BFC Exchange Ltd	Yes	https://www.bfcexchange.co.uk/
BIRA Bank Ltd	Yes	https://bira.co.uk/services/bank/
BMCE Bank International plc	No	http://www.bmce-intl.co.uk/disclaimer.html
British Arab Commercial Bank Plc	Yes	https://www.bacb.co.uk/
Brown Shipley & Co Limited	Yes	https://www.brownshipley.com/
C Hoare & Co	Yes	https://www.hoaresbank.co.uk/
CAF Bank Ltd	Yes	https://secure.cafbank.org/
Cambridge & Counties Bank Limited	Yes	https://ccbank.co.uk/
Cater Allen Limited	Yes	https://www.caterallen.co.uk/
Charity Bank Limited	Yes	https://charitybank.org/
Charter Court Financial Services Limited	No	http://www.chartercourtfs.co.uk/
China Construction Bank (London) Limited	No	http://www.uk.ccb.com/london/en/index.html
CIBC World Markets Plc	No	http://www.cibcwm.com/cibc-eportal-web/portal/wm?pageId=home&language=en_CA
ClearBank Ltd	Yes	https://www.clear.bank/
Close Brothers Limited	Yes	https://www.closebrothers.com/
Clydesdale Bank Plc CYBG plc	No	http://www.cybg.com/
Co-operative Bank Plc	Dual	http://www.co-operativebank.co.uk/
Coutts & Company	Yes	https://www.coutts.com/
Credit Suisse (UK) Limited	Yes	https://www.credit-suisse.com/uk/en.html
Credit Suisse International Credit Suisse	Yes	https://www.credit-suisse.com/uk/en/investment-banking/financial-regulatory/international.html
Crown Agents Bank Limited	No	http://www.crownagentsbank.com/
DB UK Bank Limited	Yes	https://www.db.com/unitedkingdom/
Diamond Bank (UK) Plc	Yes	https://diamondbankukplc.com/
Duncan Lawrie Limited	No	http://www.camellia.plc.uk/duncan-lawrie
EFG Private Bank Limited	Yes	https://www.efgl.com/
Europe Arab Bank plc	Yes	https://www.eabplc.com/
First Direct	No	http://www1.firstdirect.com/1/2/
FBN Bank (UK) Ltd	No	http://www.fbnbank.co.uk/
FCE Bank Plc	No	http://www.fcebank.com/
FCMB Bank (UK) Limited	Yes	https://www.fcmbuk.com/
Gatehouse Bank Plc	No	http://www.gatehousebank.com/
GE Capital Bank Limited GE Capital	No	http://www.gecapital.co.uk/en/
Ghana International Bank Plc	No	http://www.ghanabank.co.uk/
Goldman Sachs International Bank	No	http://www.goldmansachs.com/
Guaranty Trust Bank (UK) Limited	Yes	https://www.gtbankuk.com/
Gulf International Bank (UK) Limited	Yes	https://www.gib.com/
Habib Bank Zurich Plc	No	http://www.habibbank.com/uk/home/ukHome.html
Habibsons Bank Limited	No	http://habibbankuk.com/
Halifax	Fixed	http://www.halifax.co.uk/
Hampden & Co Plc	Yes	https://www.hampdenandco.com/
Hampshire Trust Bank Plc	Yes	https://www.htb.co.uk/
Harrods Bank Ltd	Yes	https://www.harrodsbank.co.uk/
Havin Bank Ltd	No	http://www.havanaintbank.co.uk/
HSBC Bank Plc	Yes	https://www.hsbc.co.uk/1/2/
HSBC Private Bank (UK) Limited	Yes	https://www.hsbcprivatebank.com/en
HSBC Trust Company (UK) Ltd	??
ICBC (London) plc	No	http://www.icbclondon.com/icbc/%E6%B5%B7%E5%A4%96%E5%88%86%E8%A1%8C/%E5%B7%A5%E9%93%B6%E4%BC%A6%E6%95%A6%E7%BD%91%E7%AB%99/en/
ICBC Standard Bank Plc	Yes	https://www.icbcstandardbank.com/CorporateSite
ICICI Bank UK Plc	No	http://www.icicibank.co.uk/
Investec Bank PLC	Yes	https://www.investec.com/en_gb.html
Itau BBA International PLC	Yes	https://www.itau.com.br/itaubba-en
J.P. Morgan Europe Limited	Yes	https://www.jpmorgan.com/country/GB/en/jpmorgan
J.P. Morgan International Bank Limited	??
J.P. Morgan Securities plc	Yes	https://www.jpmorgansecurities.com/
Jordan International Bank Plc	No	http://www.jordanbank.co.uk/
Julian Hodge Bank Limited	Yes	https://www.hodgebank.co.uk/
Kexim Bank (UK) Ltd	No	http://srssprojects.in/aboutus.html
Kingdom Bank Ltd	Yes	https://www.kingdom.bank/
Kleinwort Benson Bank Ltd	Yes	https://www.kleinworthambros.com/en/
Kookmin Bank International Limited	Yes	https://www.kbfg.com/Eng/
Lloyds Bank Plc	Yes	https://www.lloydsbank.com/
Lloyds Bank Private Banking Limited	Fixed	http://www.lloydsbank.com/private-banking/home.asp
Lloyds Banking Group	No	http://www.lloydsbankinggroup.com/
Macquarie Bank International Ltd	Yes	https://www.macquarie.com/uk/corporate
Marks & Spencer Financial Services Plc	Yes	https://bank.marksandspencer.com/
Masthaven Bank Limited	Yes	https://www.masthaven.co.uk/
Melli Bank plc	No	http://www.mellibank.com/
Methodist Chapel Aid Limited	Yes	https://www.mcafundingforchurches.co.uk/
Metro Bank PLC	Yes	https://www.metrobankonline.co.uk/
Mizuho International Plc	Yes	https://www.mizuho-emea.com/
Monzo Bank Ltd	Yes	https://monzo.com/
Morgan Stanley Bank International Limited	Yes	https://www.morganstanley.com/
National Bank of Egypt (UK) Limited	No	http://www.nbeuk.com/
National Bank of Kuwait (International) Plc	Yes	https://nbk.com/
National Westminster Bank Plc	Fixed	http://personal.natwest.com/
Natwest International	Fixed	http://www.natwestinternational.com/nw/personal-banking.ashx
Nationwide Building Society	Yes	https://www.nationwide.co.uk/
Nomura Bank International Plc	No	http://www.nomura.com/
Northern Bank Limited	No	http://danskebank.co.uk/personal
Northern Trust Global Services Ltd	Yes	https://www.northerntrust.com/
OakNorth Bank Limited	Yes	https://www.oaknorth.com/
OneSavings Bank Plc	No	http://www.osb.co.uk/
Paragon Bank Plc	Yes	https://www.paragonbank.co.uk/
PCF Group Holdings Ltd	Yes	https://pcf.bank/
Persia International Bank Plc	No	http://persiabank.co.uk/
Philippine National Bank (Europe) Plc	No	http://www.pnb.com.ph/europe/
Punjab National Bank (International) Limited	Yes	https://www.pnbint.com/
QIB (UK) Plc	Yes	https://www.qib-uk.com/en/index.aspx
R. Raphael & Sons Plc	Yes	https://www.raphaelsbank.com/
Rathbone Investment Management Limited	Yes	https://www.rathbones.com/
RBC Europe Limited	No	http://www.rbc.com/contactus/rbc_europe.html
Reliance Bank Ltd	No	http://www.reliancebankltd.com/
Revolut	Yes	https://www.revolut.com/?lang=en
Royal Bank of Scotland Plc	No	http://personal.rbs.co.uk/personal.html
Sainsbury’s Bank Plc	Yes	https://www.sainsburysbank.co.uk/
Santander UK Plc	Yes	https://www.santander.co.uk/uk/index
Schroder & Co Ltd	No	http://www.schroders.com/
Scotiabank Europe Plc	No	http://www.scotiabank.com/global/en/0,,6182,00.html
Scottish Widows Bank Plc	No	http://www.scottishwidows.co.uk/bank/
Secure Trust Bank Plc	Yes	https://www.securetrustbank.com/
SG Hambros Bank Limited	Yes	https://www.societegenerale.co.uk/en/worldwide-details/office/head-office/
Shawbrook Bank Limited	Yes	https://www.shawbrook.co.uk/
Smith & Williamson Investment Services Limited	No	http://smithandwilliamson.com/
Sonali Bank (UK) Limited	No	http://www.sonali-bank.com/
Standard Chartered Bank	Yes	https://www.sc.com/en/
Starling Bank Limited	Yes	https://www.starlingbank.com/
State Bank of India	Yes	https://www.onlinesbi.com/
Sumitomo Mitsui Banking Corporation Europe Limited	Yes	https://www.smbcgroup.com/emea/info/smbce
Tandem Bank Limited	Yes	https://www.tandem.co.uk/
TD Bank Europe Limited	Yes	https://www.td.com/about-tdbfg/our-business/index.jsp
Tesco Personal Finance Plc	No	http://www.tescobank.com/
TSB Bank plc	Yes	https://www.tsb.co.uk/personal/
Turkish Bank (UK) Ltd	Yes	https://www.turkishbank.co.uk/
UBS Limited	Yes	https://www.ubs.com/uk/en.html
Ulster Bank Ltd	Fixed	http://digital.ulsterbank.co.uk/
Union Bank of India (UK) Limited	Yes	https://www.unionbankofindiauk.co.uk/
Union Bank UK Plc	Yes	https://www.unionbankuk.co.uk/netbanking/
United National Bank Limited	Yes	https://www.ubluk.com/
United Trust Bank Limited	Yes	https://www.utbank.co.uk/
Unity Trust Bank Plc	Yes	https://www.unity.co.uk/
Vanquis Bank Limited	Yes	https://www.vanquis.co.uk/
Virgin Money plc	Yes	https://uk.virginmoney.com/virgin/
VTB Capital plc	Yes	https://www.vtbcapital.com/
Weatherbys Bank Limited	Yes	https://www.weatherbys.bank/
Wesleyan Bank Limited	Yes	https://www.wesleyan.co.uk/wesleyan-bank/
Westpac Europe Ltd	Yes	https://www.westpac.com.au/about-westpac/global-locations/westpac-uk/
Wyelands Bank Plc	Yes	https://www.wyelandsbank.co.uk/
Zenith Bank (UK) Limited	No	http://www.zenith-bank.co.uk/

An earlier version of this post also commented on Building Societies. That data has been moved to a separate post to make examining the data easier.

Commentary

From the above, we’re only commenting on the security of the home page. It’s possible that secure pages link to non-secure pages and also possible that non-secure pages link to secure pages. Either is not good. All pages in a bank should be secure. If in doubt, follow the link to the bank yourself and make your own judgement. We list the above for your information, not to endorse a particular bank or to discredit a particular bank. Although that said, you should have a serious chat with your bank if it is listed above and is not secure.

Of the banks above, Airdrie Savings Bank stands out. It is no longer in business and yet it still provides a secure website.

Axis Bank UK Limited had two websites. One had a 2014 copyright date, the other 2017. We tested the 2017 website.

Ulster Bank had multiple websites. One was secure. One was not. The non-secure website was the first listing in a Google search.

Lloyds bank is worrying. The home page was secure, but the private banking page was not secure, but had a link to the standard log in page. Not good.

The Co-operative bank provides both http and https versions of it site. Mobile users only get the http version (tested on Android). On the desktop customers can either http or https. This needs to be fixed. https only should be served to desktop and mobile visitors.

The Bank of England passes this test, but you can’t have an account there, so we haven’t included it in our test results.

If you find any mistakes, or have additional institutions you’d like me to look at, please get in touch. @softwareverify on twitter or email customer support.

Additional Reading

If you want to know more about securing your website with HTTPS and additional measures, read this excellent article on the 6 step happy path to HTTPS by Troy Hunt.

Reference list of banks. https://en.wikipedia.org/wiki/List_of_banks_in_the_United_Kingdom

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

Guest posts

No, we’re not interested in having a guest post about finance related topics. These articles are about security, not finance.

Additional Reading

Getting code coverage for a child process?

List of UK Building Societies that are secure by default

List of UK banks that are “secure by default”

Natwest Online Banking

Is it only Natwest?

Commentary

Additional Reading

Disclaimer

Guest posts

Additional Reading

Improve your software quality.

Application, Service or Webserver? Native, .Net, .Net Core or Mixed Mode?

Interactive, command line, build server or test suite?

Debug your hardest problems using our software tools.

List of UK banks that are “secure by default”

Natwest Online Banking

Is it only Natwest?

Commentary

Additional Reading

Disclaimer

Guest posts

Additional Reading

Improve your software quality.

Application, Service or Webserver? Native, .Net, .Net Core or Mixed Mode?Interactive, command line, build server or test suite?Debug your hardest problems using our software tools.

Application, Service or Webserver? Native, .Net, .Net Core or Mixed Mode?

Interactive, command line, build server or test suite?

Debug your hardest problems using our software tools.