We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

How safe is online banking?

Which? has rated 12 of the biggest UK banks on the security of their online banking systems. How does your bank's online security measure up?

In this article
Best banks for internet banking security Online banking security: our tests Why is two-factor authentication (2FA) important? Is mobile banking safe?
Take our fraud risk quiz 10 ways to protect yourself against fraud and scams What to do if you're a victim of bank fraud Which? campaigns for scam victims to be reimbursed

Best banks for internet banking security

Every year, we rate the customer-facing security of 12 leading online banks. In our latest test, volunteers carried out a series of tasks, while a team of experts from cybersecurity firm Falanx Cyber tested each bank's defences.

The table below shows how each bank fared for the main factors we tested, or you can skip straight to:

Bank

 

Login

What information is required to access the account? Does the bank require two-factor authentication to login? How easy is it to recover usernames and passwords?

 

Encryption

Includes front-end security aspects of logging in, such as HTTPS and cipher strength.

 

Account management

Includes new payee set-up with small weight on password and address change

 

Navigation and logout

Includes using forward/back buttons, concurrent login, browsing away from site and confirmation of logout

Test score
NatWest (also Royal Bank of Scotland) 5 out of 5 5 out of 5

4 out of 5

4 out of 5 83%
Nationwide

4 out of 5

5 out of 5

4 out of 5

5 out of 5

75%
Lloyds (also Bank of Scotland and Halifax)

5 out of 5

4 out of 5

5 out of 5

4 out of 5

74%
HSBC

4 out of 5

4 out of 5

4 out of 5

5 out of 5

73%
Barclays

4 out of 5

5 out of 5

4 out of 5

4 out of 5

73%
Tesco Bank

5 out of 5

5 out of 5

1 out of 5

4 out of 5

72%
First Direct

4 out of 5

4 out of 5

4 out of 5

5 out of 5

70%
Yorkshire Bank (also Clydesdale Bank)

5 out of 5

4 out of 5

2 out of 5

4 out of 5

68%
Santander

3 out of 5

4 out of 5

4 out of 5

4 out of 5

59%
Metro Bank

2 out of 5

4 out of 5

4 out of 5

4 out of 5

57%
The Co-operative Bank

2 out of 5

4 out of 5

4 out of 5

4 out of 5

56%
TSB

2 out of 5

4 out of 5

4 out of 5

4 out of 5

50%

 

Online banking security: our tests

All providers have processes that aren’t visible in the type of testing we carried out – we can only analyse security features available to the customer – but our tests compared banks on the following: 

Login

We rated banks on the information required to access the accounts, checking whether two-factor authentication (2FA) is both available and compulsory (the gold standard). We also tested alternative login methods, such as security questions to recover usernames and passwords.

Encryption

We tested the level of encryption (where data is scrambled so that only you and your bank can read it) and checked if best-practice security headers are in place. These, respectively, enforce a secure connection and protect against a wide range of attacks. We also noted where scripts (programming language) were loaded from external sources, such as a traffic analysis company, as hackers might compromise that third party. 

Account management

Paying someone new and editing account details should require additional checks to verify that it’s really you making changes. We want banks to send notifications when details are altered to alert you to a potential breach. However, we marked them down if these messages included a phone number or link to a login page. This is because scammers can replicate texts and emails to trick you into calling them or entering your details on a fake website. If banks never included phone numbers or website links in their communications, it would make scam attempts easier to spot. 

Navigation and logout

Banks were penalised if they let us log in from multiple browsers or computers at the same time – this should be flagged as a potential attack – or if they allowed us to flick forward and back in the browser. Banks will log you out after a period of inactivity, but we want them to restrict customers to one active session at a time and to not add an extra step to complete logout. Although this is compliant with current industry guidance, we think it’s safer to instantly close the session. 

Why is two-factor authentication (2FA) important?

Which? has long called for banks to support two-factor authentication (2FA) login. 

Gmail, Microsoft Hotmail and Twitter all offer some form of 2FA, which involves multiple ID checks such as providing a username and a password plus a single-use passcode generated on a card reader or mobile phone. 

You might expect that bank accounts should be at least as secure as an email or social media account but our research has found that some banks - namely Metro Bank, Santander and TSB - are still lagging behind.  

By March 2020, all banks will need to introduce a multi-layered approach to online bankig login, under new 'strong customer authentication' regulations. 

It may seem heavy-handed to force customers to use a second device but passwords alone are no longer good enough.

Weak login details can be stolen or easily gleaned from social media sites and if a hacker penetrated the first layer of defence, they would have access to sensitive details such as payment history and card numbers, which could make any subsequent scam attempts more convincing.

Is mobile banking safe?

The biggest threat to banking security comes from using a compromised device. And this applies whether you’re using a computer or a smartphone. 

Although phones are more easily lost or stolen, apps are in some ways safer than using a computer to log in to your bank account. 

This is because apps in the official app stores are vetted by Apple and Google, whereas PCs can run software from any source.

It's also more difficult to plant a keylogger in an Android or iOS device (software used to track every key you press and potentially steal usernames and passwords). 

Smartphones can be located, locked and even wiped of data remotely if they are lost or stolen (by registering for Google ‘Find My Device’ and Apple ‘Find My iPhone’). 

Of course mobile banking isn’t risk-free - fakes can turn up in app stores and malware does exist that specifically targets mobile phones. 

But, thanks to competition from mobile-only banks Monzo and Starling, many high street banks have started to improve app security features. 

Instant card freezing, where you can block your card in-app without having to call or visit a branch, is now offered by all of the banks we tested except the Co-operative Bank, First Direct (it’s introducing it soon), TSB and Yorkshire Bank. Santander and Tesco Bank only offer this option to credit card customers at present. 

Barclays, Lloyds and Starling go even further, by letting you control whether your card can be used to make payments online, abroad and at cash machines.

High-street banks are also working towards real-time notifications of transactions (already offered by Monzo and Starling) which makes it much easier and quicker to spot fraudulent transactions. 

 

 

Take our fraud risk quiz

 

10 ways to protect yourself against fraud and scams

Criminals are constantly inventing new ways to try to get their hands on your money. 

Phishing emails are sent by criminals posing as genuine companies such as a bank or HMRC. Clicking on a link takes you to a fake website where fraudsters steal financial or personal details. 

Or, the link might install malware on your computer as another means to capture details. Thieves can steal your password by tricking you into installing a program on your computer that secretly records your password when you type. 

Telephone fraud, or vishing, is particularly sneaky. Fraudsters call up pretending to be the police or your bank’s fraud department and warn you that your account has been compromised to trick you into revealing your full password, or persuade you to move your money somewhere ‘safe’. 

Some tell you to call the genuine number for your bank to ‘verify’ the call, then play a dialling tone while they stay on the line, before posing as your bank and conning you into giving them sensitive information.

Remember, your bank would never ask for your full Pin or passwords on the phone or via email, and they would never ask you to authorise a transfer of money to a new account. 

Stay one step ahead: Learn these seven ways to spot a scam and follow these tips to keep the cash in your bank account safe:

 

1. Take your time 

 

Treat unsolicited phone calls, letters, emails and texts with caution. 

Fraudsters use pressure tactics to persuade you to share personal and financial details so don’t let anyone rush you and never share your Pin or online passwords (your bank will never ask for these in full).

 

2. Use a phone number you trust 

 

If you’re in any doubt as to who’s calling, hang up. Make sure the line is clear, and then call the organisation on a phone number you trust, such as the one on the back of your payment card. 

 

3. Use antivirus software and keep your devices up to date

 

Make sure your computer or laptop is protected with a good security program and antivirus software. 

Keep all devices, apps and browsers up to date. Updates contain security patches for new vulnerabilities. It’s important not to carry on using an old device that’s not getting updates: Windows 7 won’t be getting any more updates after January 2020, for example, and you will be at risk if you carry on using this for online banking after this date.

Visit our guide to choosing antivirus software so you can find the best package to keep you safe. 

 

4. Create strong passwords 

 

It’s tempting to use the same password for lots of different websites and accounts, but this is a bad move: passwords get stolen in data breaches and sold to other hackers, who use software to try them on lots of websites in what’s called a password stuffing attack.

Don't write your passwords down in full or share them with anyone. Consider using a password manager such as LastPass or Dashlane to generate unique passwords.

Find out how to create the perfect password.

 

5. Use a secure network 

 

If you have a wireless network at home, activate the security settings on your router to prevent others from accessing it. Avoid accessing your bank account from a public computer or unsecured wireless network. 

If you do use a public computer, never leave it unattended and always log out properly when you've finished your banking session.

 

6. Be wary of links 

 

Avoid clicking links and downloading attachments from emails and texts. 

Type web addresses into the address bar of your browser manually instead.

 

7. Browse safely 

 

Look for a padlock symbol in or next to the address bar in your browser and that the web address changes from starting with 'http' to 'https'. 

This doesn't guarantee a site can be trusted, but it does mean the website is encrypted, so no one else but that website can read any card details or passwords you enter. 

Some sites have an extended validation (EV) certificate, shown as a padlock alongside the company name. Again, it’s not perfect, but it requires the company to undergo more rigorous checks.

 

8. Remove personal info from social media 

 

Don't leave your email address, date of birth, or phone number on sites such as Facebook and Twitter – it increases your risk of identity theft. Only accept friend requests from people you know. 

Someone posing as an interesting person asking to become your friend may actually be an ID thief. 

Check your privacy settings carefully and make sure only people you trust can view your profile. 

 

9. Scan your statements 

 

Regularly check your bank account and credit card statements for suspicious transactions. 

If you spot something unfamiliar, report it to your bank or card provider as soon as you can.

 

10. Use ATMs inside the bank 

 

Try to shield your Pin in case there are cameras fitted by criminals above the keypad.  Or, stick to in-branch machines, which are less likely to have been tampered with than one on the high street.

What to do if you're a victim of bank fraud

Check your account online regularly to spot any irregularities and contact your bank as soon as possible if you think you've been a victim of fraud.

Your bank must refund unauthorised transactions and restore your account to the state it would have been in had the transaction not be made unless it can prove that you've acted fraudulently or been grossly negligent.

They can't refuse to refund you based on a hunch – they must investigate properly – but banks don't always get this right. Which? Money has obtained exclusive data from the Financial Ombudsman Service (FOS) revealing the card providers handling fraud claims poorly.

Know your rights: Find out what to do if you have given a fraudster your bank details

 

Which? campaigns for scam victims to be reimbursed

Sadly, it can be difficult to get a refund if you've been tricked into transferring money.

For example, if a fraudster called up, posing as your bank's fraud department, and convinced you to move your money into a new account (by pretending yours had been compromised) your bank may not be liable to cover losses because you authorised the payment.

Victims of bank transfer scams can lose eye-watering sums so in 2016 we submitted a super-complaint on bank transfer scams to the financial regulator, demanding banks do more to protect customers who are tricked into sending money to fraudsters.

Thanks to our campaigning, a new voluntary code promising refunds for victims of authorised push payment (APP) scams came into effect in May 2019. Most major banks have signed up to the code, but a few are yet to do so.

Read more about the new scam refunds code and find out if your bank has signed up.

×