Recommendations for alternative bank - HSBC requiring phone app

clairec666

EnPointe said:

clairec666 said:

EnPointe said:

clairec666 said:

Nasqueron said:

clairec666 said:

Nasqueron said:

clairec666 said:

Rich2808 said:

While they are keen to promote the use of the mobile app HSBC haven't phased out physical keys yet in the UK - and you can still use them and order new ones in branches etc?

Did I miss them announcing an end date?

One option of course is to have a second phone which you leave at home for banking apps - so you aren't carrying it around with you.

I resent HSBC's approach and I think everyone should be given choice as to how they access their account.

Is there any reason they can't do a "secure code by text message" like some other banks do?

To be blunt - this is how private businesses work, they don't cater to individual whims but what is profitable for them, quite rightly private firms should not be forced to keep using card readers where there are better ways

SMS is even less secure so is rightly being stopped

I've nothing against newer app-only banks, they have built their businesses on a younger tech-savvy clientele and aren't ever going to provide branches, or often even phone lines too. But I think high-street providers should still be catering for their existing customers rather than coercing them into using technology they might not be comfortable with.

For the record, I'm not an "older" customer, but I don't want to use an app for everything.

Nothing about the age, First Direct have been around online for decades, plenty of older people work without branches though all of them have phone lines to some extent e.g. for fraud reporting. You're welcome to your opinion but it's simply how businesses operate that they should be allowed to move to other systems that the vast majority use

HSBC are free to go app-only if that's how they want to run their business. What is annoying me is that they offer "online banking" but are not-so-subtly trying to lead people towards their app instead. If they don't want to offer access via a web browser, they should just do away with it altogether and be upfront about it. In which case, I'll make my decision as to whether to install the app or ditch HSBC and go elsewhere.

again  utterly incorrect 

May I ask, which specific part of what I said is "utterly incorrect"?

HSBC on line banking  does not  require the app  ,especially as it appears physical  code generation units are still avaialble 

even if you use ther app for code generation you do not have to use the app  as it  generates  codes for the web  portal 

Ah, so you didn't read my post properly. Well done.

GeoffTF

dekaspace1 said:

GeoffTF said:

dekaspace1 said:

This is annoying for me as my main phone doesn't work with many apps as it's rooted, and my backup phone is too old to work security apps.

Some other banks let me login without an app but to see/download statements I have to use the app which is a nightmare.

I am sure this has been said previously, but you should not have problem. You do not need a phone at all with Nationwide. A dumb phone is sufficient with Santander. With Nationwide, you can use a card reader. With Santander, you do not need use your phone (or any other security device) to login to your account, and see and download your statements. You can often make Faster Payments to frequently used own accounts without using your phone too.

Santander let's me view transactions and statements but not a full statement i.e name and addressed.

I do not have any problems with that. Here is how to do it:

https://www.santander.co.uk/personal/support/customer-support/your-statements

Section62

EnPointe said:

clairec666 said:

Is there any reason they can't do a "secure code by text message" like some other banks do?

Because that is is actually extremely insecure compared to  a phone app that uses good 2FA  

Define "extremely insecure".

SMS OTP's aren't as secure as some other methods, but commonly used by other banks and the UK Government Gateway.

If HSBC did want to get rid of their code generators completely (and there's no indication they do) then allowing OTP's by SMS would be the next best thing to allow people a choice of whether to use the app or not.

grumpy_codger

dekaspace1 said:

GeoffTF said:

dekaspace1 said:

This is annoying for me as my main phone doesn't work with many apps as it's rooted, and my backup phone is too old to work security apps.

Some other banks let me login without an app but to see/download statements I have to use the app which is a nightmare.

I am sure this has been said previously, but you should not have problem. You do not need a phone at all with Nationwide. A dumb phone is sufficient with Santander. With Nationwide, you can use a card reader. With Santander, you do not need use your phone (or any other security device) to login to your account, and see and download your statements. You can often make Faster Payments to frequently used own accounts without using your phone too.

Santander let's me view transactions and statements but not a full statement i.e name and address.

What do you mean?! All pdf statements are available online, all with the name and the address. 

"Statements and documents" in the left-side menu.

It's my main account, I don't have their app and don't have any problems (except their ridiculous 8-character alphanumerical OTPs for logging in).

GeoffTF

gt94sss2 said:

GeoffTF said:

EnPointe said:

Section62 said:

Nasqueron said:

clairec666 said:

GeoffTF said:

Nasqueron said:

Banks typically stop access when the system OS is no longer supported by the manufacturer, typically 5-6 years with Apple and better Android devices, one phone every 5-6 years is normal, it happens with all devices as a phone that old isn't secure and is a risk to use

I do not know of any bank that does that. Anyway, security updates just reduce the risk, they do not eliminate it.

No banking apps would install on my last phone, because it was running an old version of Android.

Using a phone over 6 years old is a security risk because the software isn't having security patches, hence banks don't want to risk their software being compromised and yuou losing money, it's akin to leaving all your doors and windows open at home. You can get an Android 14 (full, not Go) phone from Argos for £100 which will have security to at least Feb 2027. A Samsung A15 5G will have 5 years of security updates albeit it's a year old already

So not a new phone every year, but a new £100 phone every 16 months?

Versus a credit card-sized device the bank gives you for free?

if you  buy a current   up-to-date  device you will have 6  years of  updates  in the vast majority of cases , if you choose to  buy a phone which as a model is already a number of years old, you  run the associated risk of shorter  support  horizons 

2 years of security updates is still common, and some manufacturers do not promise anything:

https://www.androidauthority.com/phone-update-policies-1658633/

Samsung seems to have the longest period of security updates for reasonably priced phones. None of the manufacturers' promises are completely watertight though.

Since the 29th April 2024, all new devices sold in the UK must have a PSTI Statement of Compliance. This is a document that confirms the  product meets the security requirements of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022.

It is a legal requirement for manufacturers, importers, and distributors placing such products on the UK market to ensure the SoC accompanies the product and includes specific information like the product's minimum security support period and vulnerability disclosure policy. 

Here is a readable summary of PSTI:

https://www.ncsc.gov.uk/blog-post/smart-devices-law

It is nonetheless still not easy for a potential buyer to compare the support periods. I have not been able to find a single retailer's website that shows the support periods for the smartphones that it sells. (The act does not specify a minimum support period.)

Banks do not allow their apps to be installed on very old versions of Android, but I have not been able to find a bank that requires its mobile banking customers to use only phones that are still receiving security updates. Nationwide does not mention security updates at all, and their requirement for Android 7.0 or above is in a small print footnote:

https://www.nationwide.co.uk/ways-to-bank/banking-app/banking-app-security/

Santander says: "Make sure your device and apps are on the latest version." Santander has just increased its requirement from Android 8.0 to Android 9.0:

https://www.santander.co.uk/personal/support/ways-to-bank/Mobile-app-updates

Android 9.0 was released on 6 August 2018, and received its last security update from Google on 4 January 2022:

https://en.wikipedia.org/wiki/Android_Pie

Most of the phones that were released with Android 9.0 installed would have received security updates for only a year or two after their launch date (not their purchase date). It would appear that "the latest version" means the latest version that is available for your phone.

Santander could not reasonably claim that you have been grossly negligent if you have installed their app on an Android 9.0 phone, or indeed any later phone that is not receiving security updates. I expect that means that they would have to compensate you if your phone is hacked as a result. I would rather not be in that situation though. Compensation for lost or stolen cards looks more certain.

flaneurs_lobster

GeoffTF said:

Santander could not reasonably claim that you have been grossly negligent if you have installed their app on an Android 9.0 phone, or indeed any later phone that is not receiving security updates. I expect that means that they would have to compensate you if your phone is hacked as a result. I would rather not be in that situation though. Compensation for lost or stolen cards looks more certain.

As ever, it depends.
Install Santander app on old phone no longer getting security updates (or brand new phone with up-to-date updates) THEN install iffy crypto-mining get £££ quick app from dodgy website and then get your account emptied - bet they are not compensating you then.

If you are negligent with your phone (or your bank cards, cheque book, online account) then you really cannot use the "it's the Bank's fault - pay me back" argument.

GeoffTF

flaneurs_lobster said:

GeoffTF said:

Santander could not reasonably claim that you have been grossly negligent if you have installed their app on an Android 9.0 phone, or indeed any later phone that is not receiving security updates. I expect that means that they would have to compensate you if your phone is hacked as a result. I would rather not be in that situation though. Compensation for lost or stolen cards looks more certain.

As ever, it depends.
Install Santander app on old phone no longer getting security updates (or brand new phone with up-to-date updates) THEN install iffy crypto-mining get £££ quick app from dodgy website and then get your account emptied - bet they are not compensating you then.

Using a phone that is not receiving updates seems to be deemed OK. The banks will have statistics on which phones get hacked and have decided that phones not receiving security updates is an acceptable risk for them.

I do not believe the banks could reasonably claim you to be grossly negligent if you download apps from the official store. If you have side-loaded apps from elsewhere, that is another matter. Nonetheless, neither Nationwide nor Santander (at least) appear to say that you must not do that.

What about clicking on links in emails and text messages? What about using a second hand phone with pre-installed malware? What about using a third party WiFi network? What about plugging into a dodgy USB charging point? Are they grossly negligent or just foolish?

flaneurs_lobster said:

GeoffTF said:

Santander could not reasonably claim that you have been grossly negligent if you have installed their app on an Android 9.0 phone, or indeed any later phone that is not receiving security updates. I expect that means that they would have to compensate you if your phone is hacked as a result. I would rather not be in that situation though. Compensation for lost or stolen cards looks more certain.

If you are negligent with your phone (or your bank cards, cheque book, online account) then you really cannot use the "it's the Bank's fault - pay me back" argument.

If you give someone your card and your PIN, that is likely to be grossly negligent (but you could have done it under duress). If your cards slip out of your pocket on a bus (which happened to me once), that is not. The issues with cards are much simpler and more clear cut.

GeoffTF

I have dug up some statistics for the first half year of 2025:

https://cdn.prgloo.com/media/77fbf188bb61467cb82fed0e613fc29c.pdf

Total fraud: 2.09m cases and £629m lost. Unauthorised fraud: 1.98m cases and £372m lost.

Card fraud: 1.94m cases and £299m lost. Lost & stolen card fraud: 0.22m cases and £51.9m lost. (Most card fraud is cardholder not present fraud. The fraud rate on contactless cards was 1.2p per £100 of transactions, significantly lower than the rate across all types of card fraud at 6.9p per £100.)

Remote Banking: 0.042m cases and £71m lost. Internet banking: 0.004m cases and £24m lost. Telephone banking: 0.001m cases and £3.7m lost. Mobile Banking: 0.037m cases and £43m lost. ("Mobile banking fraud occurs when a criminal uses compromised bank account details to gain access to a customer’s bank account through a banking app downloaded to a mobile device only. It excludes web browser banking on a mobile and browser-based banking apps (incidents on those platforms are included in the internet banking fraud figures). Rises are to be expected in the mobile banking channel as the level of usage increases amongst customers. Last year, around 75 per cent of adults living in the UK used a mobile banking app either on their telephone or tablet, up from 33 per cent in 2015.")

The comparison most relevant here is lost & stolen card fraud (0.22m cases and £51.9m lost.) versus mobile banking fraud (0.037m cases and £43m lost). The total amounts lost are similar, but that loss is spread over many more cases for cards. That does not include the loss of the mobile phones themselves. The numbers suggest that mobile phones are less likely to be hit by fraud than cards, but the losses are higher when they are hit. The numbers also suggest that Internet banking is safer than mobile banking. Nonetheless, as with all statistics, the devil is in the detail.

According to Crime Survey for England and Wales 2024, 78,000 people had phones or bags snatched from them (that equates to 39,000 per half year):

https://commonslibrary.parliament.uk/research-briefings/cdp-2025-0150/

At £100 per phone, that would be £3.9m. That is about a tenth of what is lost to mobile banking fraud.

KeviG

I bank with Santander (for many years). I don't like/trust banking on a mobile phone and after a phone call to them I  managed to continue banking on line, the only phone involvement was to receive an OTP (passcode) to enter on my laptop. Before this change a pop up on my laptop said something like "please confirm this transaction has been approved with your mobile banking app".

phillw

born_again said:
How did they get passed phone security?

Phones aren't that secure, there is software that works with many phones to get passed the lock screen.

There is probably a way past the security on the banking apps too.