Recommendations for alternative bank - HSBC requiring phone app

Section62

booneruk said:

Section62 said:

Versus a credit card-sized device the bank gives you for free?

That's a bit of a flawed comparison. Can you set up a standing order with a card? Cancel a direct debit? View your balance without going anywhere? I can't phone my friend with a credit card, or install social media apps Etc etc.

We're talking specifically about online banking authentication.

Clearly if you want to do mobile banking, or phone friends, or use social media, then it would be sensible to go with the phone option (including any phone you already have which might not meet HSBC's security requirements)

Nasqueron

Section62 said:

Nasqueron said:

clairec666 said:

GeoffTF said:

Nasqueron said:

Banks typically stop access when the system OS is no longer supported by the manufacturer, typically 5-6 years with Apple and better Android devices, one phone every 5-6 years is normal, it happens with all devices as a phone that old isn't secure and is a risk to use

I do not know of any bank that does that. Anyway, security updates just reduce the risk, they do not eliminate it.

No banking apps would install on my last phone, because it was running an old version of Android.

Using a phone over 6 years old is a security risk because the software isn't having security patches, hence banks don't want to risk their software being compromised and yuou losing money, it's akin to leaving all your doors and windows open at home. You can get an Android 14 (full, not Go) phone from Argos for £100 which will have security to at least Feb 2027. A Samsung A15 5G will have 5 years of security updates albeit it's a year old already

So not a new phone every year, but a new £100 phone every 16 months?

Versus a credit card-sized device the bank gives you for free?

I picked a random dirt cheap phone as an example and used a budget one with 5 years support, thank you for reading!

Nasqueron

GeoffTF said:

Nasqueron said:

clairec666 said:

GeoffTF said:

Nasqueron said:

Banks typically stop access when the system OS is no longer supported by the manufacturer, typically 5-6 years with Apple and better Android devices, one phone every 5-6 years is normal, it happens with all devices as a phone that old isn't secure and is a risk to use

I do not know of any bank that does that. Anyway, security updates just reduce the risk, they do not eliminate it.

No banking apps would install on my last phone, because it was running an old version of Android.

A Samsung A15 5G will have 5 years of security updates albeit it's a year old already

The A15 is two years old, so it has security updates for 3 years at most. That is not much if you are expecting a 7 or 8 year life for the phone. The A17 is on sale now. The 4G version costs £169. Here is what a review says:

"The Galaxy A17 4G will receive updates until 2031, i.e. for six years from launch, and new versions of the operating system will be available for this period. However, Samsung restricts this on its website with the addition "up to" and other legal clauses. So you can't fully rely on this great promise."

https://www.notebookcheck.net/Samsung-Galaxy-A17-4G-smartphone-test-Unusually-well-equipped-budget-phone.1146414.0.html

You are paying out a lot of dosh for a shaky promise, and the other manufacturers' promises are worse for reasonably priced phones.

That is now silly - we're into conspiracy that they are lying about the support they advertise, it's in as a caveat as Google might set the hardware restrictions for a newer version of android too high

Or just get a refurb iphone with 4-6 years

Nasqueron

GeoffTF said:

Nasqueron said:

GeoffTF said:

Nasqueron said:

Banks typically stop access when the system OS is no longer supported by the manufacturer, typically 5-6 years with Apple and better Android devices, one phone every 5-6 years is normal, it happens with all devices as a phone that old isn't secure and is a risk to use

I do not know of any bank that does that. Anyway, security updates just reduce the risk, they do not eliminate it.

Except for literally all of them?

Not at all. See the Nationwide footnote here for example:

"To use our banking app, your device must be running Android 7.0 or higher..."

https://www.nationwide.co.uk/ways-to-bank/banking-app/

The last security patch for Android 7.0 was dated August 2019:

https://en.wikipedia.org/wiki/Android_version_history

The last security update for Android 7.0 was more than 6 years ago. Android 7.0 was released in August 2016, so it only received security updates for 3 years. Nationwide is happy for its customers to use 9 year old budget phones with its app. Not many mobile phones survive more than 9 years, so Nationwide is not being very restrictive. It was much the same story for the other banks that I looked at.

As I said, they need a minimum version and it's stated - so if you had Android 6 it won't work - literally what I said, thank you for agreeing!

Nationwide's lack of IT knowledge isn't exactly hidden but First Direct is Android 9 (no support for Go), Lloyds and NatWest are 8, it's still common sense to have a supported version for various reasons. HSBC need 9 as well hence OP is using a phone at least from 2020 if not earlier, full of security holes and a risk 

Rob5342

I think Halifax still let you authorise things with an automated call to a phone number. If you still have a home phone then they might be an option. 

Alternatively Monzo have location based security so you can restrict some things so that they can only be done when your phone is at your home address. 

GeoffTF

Nasqueron said:

GeoffTF said:

Nasqueron said:

GeoffTF said:

Nasqueron said:

Banks typically stop access when the system OS is no longer supported by the manufacturer, typically 5-6 years with Apple and better Android devices, one phone every 5-6 years is normal, it happens with all devices as a phone that old isn't secure and is a risk to use

I do not know of any bank that does that. Anyway, security updates just reduce the risk, they do not eliminate it.

Except for literally all of them?

Not at all. See the Nationwide footnote here for example:

"To use our banking app, your device must be running Android 7.0 or higher..."

https://www.nationwide.co.uk/ways-to-bank/banking-app/

The last security patch for Android 7.0 was dated August 2019:

https://en.wikipedia.org/wiki/Android_version_history

The last security update for Android 7.0 was more than 6 years ago. Android 7.0 was released in August 2016, so it only received security updates for 3 years. Nationwide is happy for its customers to use 9 year old budget phones with its app. Not many mobile phones survive more than 9 years, so Nationwide is not being very restrictive. It was much the same story for the other banks that I looked at.

As I said, they need a minimum version and it's stated - so if you had Android 6 it won't work - literally what I said, thank you for agreeing!

Nationwide's lack of IT knowledge isn't exactly hidden but First Direct is Android 9 (no support for Go), Lloyds and NatWest are 8, it's still common sense to have a supported version for various reasons. HSBC need 9 as well hence OP is using a phone at least from 2020 if not earlier, full of security holes and a risk 

You wrote "Banks typically stop access when the system OS is no longer supported by the manufacturer". That is clearly not true if they are allowing Android 7.0 or even Android 9.0. Look at the table in my Wikipedia link. Actually, it is worse than the table suggests. The table gives the date of the last security patch from Google. Android phone manufacturers usually end support before that. I have recently used apps from Nationwide, Skipton, Tesco and Barclays on a Nokia phone running Android 12 that has not received updates for two years. Google issued a security patch for Android 12 in March 2025, but my phone did not get it. (My risk from using those apps was very low, because of other security measures. My Nokia phone is an Android One phone, which had a guarantee for three years of security updates from its first release. That was more than any other reasonably priced phone at the time.) The banks are evidently happy for their customers to use unsupported phones. If your phone gets hacked, the nightmare situation is having to prove that you followed all the bank's security requirements.

Eco_Miser

Rob5342 said:

I think Halifax still let you authorise things with an automated call to a phone number. If you still have a home phone then they might be an option. 

Alternatively Monzo have location based security so you can restrict some things so that they can only be done when your phone is at your home address. 

Halifax certainly let you authorise with an automated SMS. Provided they can recognise your computer (you've told them you trust the device and you've not cleared cookies) you don't normally need this to log in or pay an existing payee.

GeoffTF

GeoffTF said:

I have recently used apps from Nationwide, Skipton, Tesco and Barclays on a Nokia phone running Android 12 that has not received updates for two years. Google issued a security patch for Android 12 in March 2025, but my phone did not get it.

I am replying to myself here to add some further information. My old phone is a Nokia 5.3 and is now running Android 12.

Release date: 2 April 2020.

Bought: 8 July 2020.

Last Nokia security update: 1 June 2023.

Last Google security update: March 2025.

You can see the security patches that I am missing here:

https://source.android.com/docs/security/bulletin

There are lots of scary ones. Most of them will have been present since Android 12 was released, or even before that. The good guys do not necessarily find them first. That looks very bad, but the fact that a security vulnerability exists does not mean that Android malware has been made to use it. Even if it has, it can cause problems only if it can be exploited. Most Android malware targets the apps rather than Android itself. Here is a summary of what happens in practice:

https://online.sunderland.ac.uk/the-rise-of-mobile-malware/

In practice, you can nearly always prevent malware getting onto your device. You can certainly make your phone much less likely to be challenged by malware than a typical user. The risk of a supply chain attack can be greatly reduced by buying a new phone from a reputable high street retailer. A phone that is well hidden, held in a secure location and turned off is almost completely secure. If you only use that phone only to run a banking app, the additional risk is very low.

Banks would lose customers and money if they did not allow their customers to use phones that are no longer supported by the manufacturer. They will also potentially lose money to compensation claims if they allow their customers to lose unsupported phones. They have decided that the loss of customers will cost them more than banning unsupported phones. In practice, they usually ban only phones that were never up to the job, or that very few of their customers will want to use. You can see from the University of Sunderland article that in nearly all cases, the customer will have had to do something wrong to get their phone infected. Nonetheless, you could follow all the bank's rules and still get your account drained, perhaps as result of a hitherto unknown vulnerability. That seems to be an unlikely event, so you could have difficulty in convincing the bank that it was not your fault.

dekaspace1

This is annoying for me as my main phone doesn't work with many apps as it's rooted, and my backup phone is too old to work security apps.

Some other banks let me login without an app but to see/download statements I have to use the app which is a nightmare.

Rob5342

dekaspace1 said:

This is annoying for me as my main phone doesn't work with many apps as it's rooted, and my backup phone is too old to work security apps.

Some other banks let me login without an app but to see/download statements I have to use the app which is a nightmare.

Halifax doesn't need a mobile phone for seeing your statements, when you log on you can have an automated phone call that you type the on screen code into.