List of UK stock trading websites that are not secure by default

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

I thought it would be interesting to look at each bank in the UK to see if when you visit their company homepage, is that secure by default? That is, is the page loaded by HTTPS? There are more tests than this that you could do, but that’s the baseline. If they can’t meet that then the other tests are meaningless.

Some banks provide the website in both http and https versions. This is bad practice. If someone visits the website as http then the customer should be served the https version of the page.

Also please note, these test results are for a desktop computer visiting the website. A mobile phone may well get a different experience. In other words desktop visitors may get a secure site, but mobile visitors might not. Or vice versa.

The following key is used for the secure status:

Yes	The site is secure, loaded via https
Dual	The site can be loaded via http, or via https.
Invalid	The site loads via https, but the security certificate is invalid and thus the site is insecure.
Partial	The site loads via https, but loads some parts of the page without https. The site is insecure.
No	The site is loaded via http, not via https.
Fixed	The site is loaded via https, but at the time of first writing it was loaded via http.
??	We could not find a website to evaluate.

We tested 66 stock trading websites, most of them based in the UK. We found 20 stock trading websites that did not have a secure home page (not https or did have https with an invalid security certificate). That is 30% of stock trading websites have security vulnerabilities.

Some of the websites shown below no longer have active links. For those websites we have listed the URL but removed the non-working link.

Stock Trader	Secure	Home Page
Alliance Trust Saving	Yes	https://atonline.alliancetrust.co.uk/atonline/login.jsp
ANZ	Yes	https://shareinvesting.anz.com/home.aspx
Angel Broking	No	http://www.angelbroking.com/online-share-trading
Bank of Scotland	Yes	https://www.bankofscotland.co.uk/
Barclays	Yes	https://www.smartinvestor.barclays.co.uk/campaign/investment-account.html
Barclays Trading Hub	Yes	https://www.barclaystradinghub.co.uk/home/what-is-cfd-trading/spread-trading-versus-contracts-for-difference.html
Beaufort Securities	Yes	https://www.beaufortsecurities.com/online-share-dealing-t-14
Belforfx	No	http://bonus.belforfx.com
Broker Direct	Yes	https://www.brokerdirect.co.uk/News/ShareTradingNew.aspx
Charles Schwab	No	http://www.schwab.co.uk/public/schwab-uk-en/us-investing
Charles Stanley Direct	Yes	https://www.charles-stanley-direct.co.uk
Citi	Yes	https://www.citibank.co.uk/personal/equities.do
City Index	Yes	https://www.cityindex.co.uk/share-trading/
CMC Markets	Yes	https://www.cmcmarkets.com/en-au/markets-shares
Computershare	Yes	https://www.computershare.trade/
Degiro	Yes	https://www.degiro.co.uk/
Digital Look	No	http://www.digitallook.com
Direct Market Touch	Yes	https://www.directmarkettouch.com/
Etoro	Yes	https://www.etoro.com/
Easy Share Trading	Yes	https://easysharetrading.co.uk/stocks-and-shares-courses/
ETrade	Yes	https://us.etrade.com/home
ETX Capital	Yes	https://www.etxcapital.co.uk/equities-trading
Equiniti share view	No	http://www.shareview.co.uk/4/Info/Portfolio/Default/en/Home/Pages/Home.aspx
Fair Investment Company	No	http://www.fairinvestment.co.uk/uk_share_trading.aspx
Fantasy Stock Exchange	No	http://www.fantasystockexchange.biz/
FCMB Group Plc	No	http://fcmbgroup.com/share-trading-policy
First Direct	No	http://www1.firstdirect.com/1/2/savings-and-investments/sharedealing
Fortrade	Yes	https://www.fortrade.com/
Free Trade	Yes	https://freetrade.io/
FxPro	Yes	https://www.fxpro.co.uk/trading/shares
Get Stocks	Yes	https://getstocks.com
Halifax	Yes	https://www.halifax.co.uk/sharedealing/our-accounts/share-dealing-account/Default.asp
Hargreaves Lansdown	No	http://www.hl.co.uk/investment-services/fund-and-share-account
HSBC	Yes	https://investments.hsbc.co.uk/product/9/sharedealing
IG	Yes	https://www.ig.com/uk/shares
Interactive investor	No	http://www.iii.co.uk/
Internaxx	Yes	https://www.internaxx.com/
iDealing	Yes	https://www.idealing.com/en/index
iWeb	No	http://www.iweb-sharedealing.co.uk/share-dealing-home.asp
Lloyds Bank	Yes	https://www.lloydsbank.com/share-dealing/share-dealing-account.asp
London Capital Group	Yes	https://www.lcg.com/uk/
London South East	No	http://www.lse.co.uk/share-trading/
Natwest Invest	Yes	https://personal.natwest.com/personal/investments/natwest_invest/natwest-invest.html
Plus 500	Yes	https://www.plus500.co.uk/Trading/Stocks
Redmayne Bentley	Yes	https://www.redmayne.co.uk/stockbroking
Religare broking	No	http://www.religareonline.com/
RHB Trade Smart	Yes	https://rhbtradesmart.com/
Saga share direct	Yes	http://www.sagasharedirect.co.uk/
Saxo Capital Markets	Yes	https://www.home.saxo/en-gb
Self Trade	Yes	https://selftrade.co.uk/
Shareprices.com	Yes	https://shareprices.com/trading/
Share Scope	Yes	https://www.sharescope.co.uk/
Stock Trade	No	http://www.stocktrade.co.uk/
Sure Trader	Yes	https://www.suretrader.com/
SVS XO	Yes	https://svsxo.com/
The share centre	Yes	https://www.share.com/share-account/
Westpac	Yes	https://www.westpac.com.au/personal-banking/investments/share-trading/
UAEXChange	No	http://www.uaeexchange-etrade.com/
UK Trading View	Yes	https://uk.tradingview.com/
Virgin Money	Yes	https://uk.virginmoney.com/virgin/isa/stocks-and-shares/#
Which Way To Pay	No	http://www.whichwaytopay.com/compare-share-dealing-summary.asp
XM	Yes	https://www.xm.co.uk/
XO	No	http://www.x-o.co.uk/
XTB	Yes	https://www.xtb.com/en
Yorkshire Building Society	No	http://sharedealing.ybs.co.uk/
You Invest	Yes	https://www.youinvest.co.uk/dealing-account

Charles Schwab & First Direct

First Direct were the first bank without a bank branch in the UK. That is they’ve always been online only. But their website is not secure by default. It is vulnerable to a man in the middle attack.

Charles Schwab was one of the very first share trading sites aimed at making share trading easy, even for non-experts. As such they’ve been around for a long time. But their website is not secure by default. It is vulnerable to a man in the middle attack.

Just because a business is established, that doesn’t mean you can trust their security.

Fantasy Stock Exchange

Fantasy Stock Exchange is website where children can go to trade pretend stocks and shares. To understand what is happening without any financial risks. It’s an interesting idea. But it’s not secure by default. Anything where children are involved I’d like to think that is secure, we read enough unpleasant stuff about grooming in other environments without their accounts being at risk as well.

Insecure Login

Most of these insecure websites are secure when you try to login, but not secure on the homepage. That makes them vulnerable to a man in the middle attack. However, one stock trading site, Digital Look, is completely insecure, even the login page is not secure, and has a remember me option!

Insecure Browser Extension

Another website was so problematic that we could not visit the website without being forced to install a chrome extension, that was allegedly to improve our security while using their site. The problems with this is are numerous:

• The extension is downloaded from a non-disclosed location (you can’t see where it’s downloaded from, a website name briefly flashes past that is not destination website).
• The extension is download from a non-secure location. Thus it could be anything.
• You can’t verify anything about the extension before installing it in Chrome.
• Whether you choose to install an extension in order to view a website should be a choice, not mandatory.

We were going to name this company, but when we later tried to reproduce this to get some screenshots of this dangerous chrome extension behaviour could not be repeated. If you see behaviour like this with a website please let us know.

Guest posts

No, we’re not interested in having a guest post about finance related topics. These articles are about security, not finance.