Are online banks safe?

Published by on 09 December 2016.
Last updated on 09 December 2016

online banking

Thousands of online customers of Tesco Bank recently discovered the hard way that banks can find themselves at the mercy of hackers. The fraud raises questions about how safe our bank accounts really are and what customers can do to protect their money.

The incident in early November could have been worse, thanks in part to swift action by Tesco. Initially, the bank believed that 20,000 out of its 136,000 customers had had money removed fraudulently from their accounts over one weekend. Subsequently, it found that only 9,000 were affected.

Despite the hacking, customers were still able to use their debit card to make in-store payments and cash withdrawals, while direct debits and bill payments could continue to be made as normal.

However, some impact was felt by all 136,000 customers of Tesco Bank. They were unable to make online transactions using current accounts for two days. And a total of £2.5 million was stolen from the accounts affected.

In some cases customers lost more than £600 each, and it took a further 24 hours to reimburse them all.


Company size is no defence

It would be tempting to hope that such events are extremely rare. In reality, hackers have demonstrated that all kinds of companies are susceptible.

In November 2015, telecoms group TalkTalk was the victim of one of the most notorious cyber attacks Hackers gained access to personal details, including names, addresses, dates of birth, telephone numbers and email addresses, of nearly 157,000 customers and more than 15,600 bank account numbers and sort codes were stolen.

Twelve months earlier, Sony had been hacked and films were made available online before their release dates. Although the motive in this case was not to steal money, the attack was a demonstration of how vulnerable even large corporations with the best IT resources can be.

Organised crime has now moved on to targeting companies rather than individuals, as the potential gains are so much larger. This is because many individuals have been alerted by press reports to a variety of scams so fewer individuals are taken in.


Scammers typically target banks – and individual accounts – on Friday so they have two days’ leeway while banks are closed over the weekend before people realise that their accounts have been raided. The hackers do not need the co-operation of the bank, just a vulnerable IT system.

But we do not know the full extent of financial fraud, as many people and companies are too embarrassed to report it. In the early days of computers, there were unconfirmed but highly believable reports of banks paying ransoms to hackers who demonstrated that they could cause a bank’s computer system to crash.


Banks have three reasons for hiding the extent to which they have been defrauded in online scams:

  • They don’t want the embarrassment and adverse publicity.
  • They don’t want to dent customer confidence.
  • They don’t want to let hackers know that their systems are vulnerable.


The problem for large companies, as for the humble PC user, is that hackers are forever working on new malware to attack computer systems so the good guys are always having to play catch-up.

The speed of modern technology has made the hackers’ lives easier, as they can bombard computer systems until they find a weak spot. Credit card issuer Visa warned the finance industry a year ago of a potential flaw in its payments system and most banks updated their systems accordingly.

The glitch that Visa spotted was that criminals were able to repeatedly ‘ping’ payment sites with random debit card numbers until they found a match with a customer’s card number, expiry date and three-digit security code. The fraudsters would withdraw small amounts from this account to ensure they had the correct details before stepping up to much larger sums.

With the Tesco fraud, now the subject of a criminal investigation, an initial line of investigation was whether Tesco had failed to take adequate precautionary measures.

Another possibility is that a rogue employee provided customer details to the hackers. This is a weakness that banks can do very little about. If raids can net millions of pounds for hackers, then clearly the fraudsters can afford to pay substantial bribes.

Who pays?

Who suffers the loss from any banking scam is still something of a grey area, because it is often unclear who is to blame. However, rules set by city regulator the Financial Conduct Authority dictate that banks must refund unauthorised payments immediately and in full unless there is evidence that the customer was at fault.

Especially where a bank employee has been involved in a fraud, account holders affected by a raid are often asked by the bank to sign an agreement to keep the fraud and the refund secret. You are not obliged to sign any such confidentiality agreement. If the bank is at fault, it cannot refuse to recompense you.

That is, though, no reason to be complacent. We all have an obligation to thwart the scammers, apart from the obvious benefit of not wanting to find our bank account has been suspended. If there is any suspicion that the customer was in any way responsible for having his or her account raided by fraudsters, banks are reluctant to offer compensation.

As well as wishing to avoid unnecessary costs, the banks fear that customers will not feel the need to be more alert if they do not bear the results of their own mistakes. Vigilance is increasingly important as we move inexorably towards a cashless society.

What can we do?

The National Crime Agency estimates that a financial fraud occurs every 15 seconds, so bank customers must remain vigilant. Do not assume this could not happen to you. The agency reckons that computer-savvy bank customers are most prone to fall for a financial scam.

Do not:

  • Give your password to anyone. Your bank will never ask for it.
  • Click on a link in an email that supposedly comes from your bank. Log on to the bank’s website separately.
  • Agree to make online payments by any unusual method.
  • Transfer funds out of your bank account if asked by someone claiming to be ringing from your bank to warn you that your account is under threat. Even if this is true, dealing with it is the bank’s responsibility, not yours. 
  • Assume that because a telephone caller knows exactly how much money you have in your account it must be the bank. The information may have come from a corrupt bank employee.
  • Delay paying bills until the last minute. If a bill that you pay manually rather than by direct debit falls due, pay it as soon as you have the funds available. The less cash you have in your account, the less can be stolen and you avoid the embarrassment of being unable to pay if your account is frozen.
  • Splash information about yourself on social media. The more personal information a scammer has, the easier it is to assume your identity.



Cashless or clueless?

While we are moving increasingly towards a cashless society, we are still a long way off. Banks have backed away from a plan to phase out cheques and while computer crashes at shop tills are rarer than they were in the early days of technology, they can still occur. The Tesco Bank fiasco was a reminder that you can find yourself locked out of your bank account at an inconvenient time.

It makes sense, therefore, to keep a small amount of cash on you just in case. This may not seem necessary if you have more than one bank account, but if you are using the same password for all accounts and one gets hacked you need to cancel transactions across the board.


More About

Leave a comment