How Cyber Resilient Are The Top Online Banks?

This post was originally published here.

Booksellers and electronics retailers aren’t the only brick-and-mortar businesses challenged by the rise of highly agile, online-only competitors—traditional retail banking institutions also face stiff competition from Internet-based consumer banking upstarts. But are these born-in-the-cloud banks and financial services offerings safer than their traditional counterparts? Let’s take a look at the leading online banks to see if they’re equipped to handle today’s cyber threats.

According to recent numbers, 81% of those responsible for managing household finances have done so via the web in the previous 12 months, making up a whopping 69 million Americans who currently bank online. However, the numbers behind the banking industry’s digital renaissance aren’t all rosy adoption metrics: last year’s Bangladesh Central Bank heist would have surpassed $1 billion in stolen funds, if not for a hacker’s typo (they still managed to get away with $80 million).


Traditional banking institutions face a myriad of security challenges in digitizing their products and services, but how do online-only banks compare when it comes to cyber resilience? Does having a digital DNA from the outset result in more resilient online banking services? Let’s find out.

Online Banking Roundup

All of the following online-only retail banking firms lack physical branch locations and process transactions entirely online. A few—most notably Synchrony Bank—white label their consumer credit offerings to major brands like Amazon, Walmart, and Guitar Center, to name a few.

1. Goldman Sachs Bank – 836 out of 950

Referred to as GS Bank for short, this online-only consumer bank is a subsidiary of the century-old investment banking giant. How resilient are its efforts in transitioning from “Wall Street to Main Street”? An expiring SSL certificate and lack of DNSSEC are its only website perimeter security isses.

2. Synchrony Bank – 834 out of 950  

You may not have heard of Synchrony Bank, but if you have an or Amazon Prime Store Card, you’re likely a banking customer of theirs. Despite its strong 834 CSTAR score, a handful of security issues like missing HTTP transport security, server information leakage, and lack of DNSSEC could lead to a data breach.

3. Ally Bank – 836 out of 950

Utah-based Ally Bank offers a range of consumer banking products: savings, checking, money market, certificate of deposit (CD), and IRA CD accounts, all online-only.

Its good but less-than-perfect 836 CSTAR score is a result of several flaws in its website perimeter security—server information leakage, lack of HTTP strict transport security, and missing DNSSEC.

4. GoBank – 808 out of 950 

Prepaid debit card issuer Green Dot launched GoBank in 2013 as a mobile-only banking institution—everything from opening accounts and ordering debit cards to paying bills is done exclusively via its mobile app. Unfortunately, its website’s SSL certificate is cause for concern, to put it mildly.

Its mobile web presence scores a strong 808 CSTAR rating, but falls short due to several security flaws including server information leakage, missing HttpOnly/secure cookies, and disabled DNSSEC.

5. Radius Bank – 884 out of 950

Boston-based Radius Bank was founded in 1987 by the Massachusetts Carpenters Combined Pension and Annuity Funds—created by/for local union carpenters. The company recently transitioned to digital-only banking services, folding its 6 retail brances into 1 as part of its bank “virtualization” efforts. Security flaws such as lack of DMARC and missing DNSSEC mar its otherwise respectable 884 CSTAR score.

6. Bank of Internet USA – 789 out of 950

Founded in 1999, Bank of Internet USA was one of the first banks worldwide to offer Internet-only consumer deposit accounts and loans—in fact, the company holds the enviable title of the oldest Internet-only bank in the United States. Its 789 CSTAR score is a reflection of various security gaps: lack of HTTP strict transport security, missing secure cookies, and disabled DMARC/DNSSEC.

7. Simple – 880 out of 950

Like GoBank, Portland-based Simple offers online-only banking services that focus on mobile devices. The company is part of the STAR network and issues FDIC-insured checking accounts exclusively to U.S. citizens via its partnership with The Bancorp. The company scores a strong 880 CSTAR score, despite security flaws like missing DMARC and lack of DNSSEC.

8. BankPurely – 656 out of 950

In case you were wondering if there’s such a thing as green banking, this is (presumably) it: BankPurely’s online-only bank was specifically crafted for ethical consumers with greater awareness about environmental and social issues.” Or in other words, digital banking saves trees. Its CSTAR score of 656 suffers due to server information leakage, missing secure cookies, lack of DMARC/DNSSEC, and other flaws.


In general, the leading online-only banking institutions have most of their bases covered in regards to cyber resilience and security fitness—though none were able to achieve an excellent CSTAR rating. Want to learn more about UpGuard’s CSTAR cyber resilience rating methodology? You can start by giving UpGuard’s risk grader web application and chrome extension a free spin to instantly validate a website’s security posture.


No posts to display