Best banks for internet banking security
With so much of our banking now done on our computers and smartphones, it's important that those services are secure.
Every year, we rate the security of the online banking and mobile banking services from major banks and building societies.
In our latest test, volunteers carried out a series of tasks, while a team of experts from cybersecurity firm 6point6 tested each bank's defences.
The table below shows how 16 banks and building societies fared for the main factors we tested in September 2020. The percentage figures illustrate how important that area of security was to the overall test score.
What information is required to access the account? Does the bank require two-factor authentication to login? How easy is it to recover usernames and passwords?
Includes front-end security aspects of logging in, such as HTTPS and cipher strength.
Includes new payee set-up with small weight on password and address change.
Navigation and logout
Includes using forward/back buttons, concurrent login, browsing away from site and confirmation of logout.
|Overall test score|
|First Direct|| |
|NatWest (also RBS)|| |
|Metro Bank|| |
|Virgin Money|| |
|Lloyds (also Halifax and BoS)|| |
|The Co-operative Bank|| |
|Tesco Bank|| |
This table only takes into account online security - if you're looking for the best current accounts, as rated by customers and our experts, click here.
How do we test online banking security?
All providers have processes that aren’t visible in the type of testing we carried out - we can only analyse security features available to the customer - but our tests compared banks on the following:
We looked at whether banks support outdated versions of ‘Transport Layer Security (TLS)’, where data is scrambled so that only you and your bank can read it - or whether they have weak ciphers (algorithms for encrypting and decrypting data).
We checked too if best-practice security headers are in place to protect against a wide range of attacks.
And we noted where scripts (programming language) were loaded from external sources. We prefer this to be kept to an absolute minimum because while banks have rigorous due-diligence processes, hackers might compromise third parties.
We rated banks on the information required to access accounts and how easy it is to recover usernames or passwords. Passwords alone aren’t secure.
We awarded top marks if banks ask customers to use a card reader or their mobile banking app to log in every time.
Many send a one-time passcode (OTP) via text, but we view this as the least secure way to authenticate customers because criminals can intercept texts.
Setting up a new payee and editing account details should require additional checks to verify it’s really you making changes.
We want banks to send notifications when details are altered to alert you to a potential breach.
We marked them down if these messages included a phone number or web link, as scammers often replicate texts and emails to trick you into calling them or entering your details on a fake website.
If banks never included numbers or links in communications, it would make scam attempts easier to spot.
Navigation and logout
Banks were penalised if they let us log in from multiple browsers or computer networks at the same time - this should be flagged as a potential attack - or if they allowed us to click forward and back in the browser.
Banks should log you out after five minutes of inactivity (not all did in our test).
We also want them to restrict customers to one active session at a time, and implement one-click logout rather than ask you to confirm your decision first. Although the latter request is compliant with current industry guidance, we think it’s safer to instantly close the session.
What is Strong Customer Authentication?
Banks have been told to introduce a multi-layered approach to online banking login and online card payments, under new 'strong customer authentication' (SCA) regulations.
This involves multiple ID checks such as providing a password plus a single-use passcode generated on a card reader or sent via text message to your mobile phone.
SCA was meant to be in place from 14 September 2019 but many banks and retailers failed to meet this deadline.
The regulator has had to extend this legal deadline multiple times, by stating that it would not enforce the new rules until 14 March 2020 for online banking and 14 March 2022 for online card payments.
Why is SCA important?
Which? has long called for banks to require a second form of authentication when logging in.
Gmail, Microsoft Hotmail and Twitter all offer this to their users. You might expect that bank accounts should be at least as secure as an email or social media account but our research has found that some banks are still lagging behind.
It may seem heavy-handed to force customers to use a second device but passwords alone are no longer good enough.
Weak login details can be stolen, leaked, or easily gleaned from social media sites and if a hacker penetrated the first layer of defence, they would have access to sensitive details such as payment history and card numbers, which could make any subsequent scam attempts more convincing.
How do banks make SCA checks for online banking?
Banks must identify every customer using at least two of these independent factors:
- something only you know (a password or Pin)
- something only you possess (a card reader or registered mobile device) and
- something only you are (a digital fingerprint or voice pattern).
Some banks offer a physical device to generate unique one time passcodes (OTPs) that serve as evidence of 'possession'.
The Barclays PINSentry and Nationwide card reader require you to insert your debit card to generate the OTP, while the HSBC/First Direct Secure Key and M&S PASS devices generate codes when you enter a Pin. These banks also offer digital versions of their card readers/devices for mobile users.
Most banks also let you authenticate yourself at login via the mobile banking app (in some cases, you can simply use fingerprint ID to let them know it's you logging in). Nationwide, Tesco Bank, the Co-operative Bank, Triodos and Virgin Money are the only current account providers who don't yet offer this.
A more common option is OTPs sent via text message to a mobile phone but we want providers to phase these out as they are vulnerable to Sim-swap attacks. Only First Direct, HSBC, M&S Bank, Monzo, Starling and Triodos have removed this option.
Lloyds Banking Group (includes Halifax and Bank of Scotland) customers can choose to pass security by supplying a six-digit number via an automated phone call to their landline.
What if I don't have a mobile phone?
Which? has previously raised concerns that banks could exclude some customers because they don't own a mobile phone or have decent signal.
It’s up to each bank and card issuer which methods they use, however, the Financial Conduct Authority (FCA) has said that customers without phones or mobile reception should not be excluded.
Your bank must make it clear that they offer alternative ways to authenticate yourself.
If you are struggling to receive codes sent by your bank via SMS due to bad reception, some networks offer Wi-Fi Calling which lets you connect via your wireless broadband.
Should I tell my bank to 'trust' my device?
A number of providers (Lloyds Banking Group, Santander, Tesco Bank, TSB) let you ‘trust’ your device to avoid extra security checks at login.
This is convenient but think carefully about the chosen device as none of these banks let you instantly ‘distrust’ devices, which could pose a fraud risk if it was mislaid or stolen.
Banks should still monitor your accounts for unusual activity (Lloyds asks you to reconfirm trusted status when you use a new browser or clear your browser history).
Tesco Bank was the only bank that told us it never asks users to re-authenticate trusted devices.
What is Confirmation of Payee?
New name-checking system called Confirmation of Payee (CoP) has been introduced to prevent payments being made to the wrong bank accounts, but not all banks have implemented this vital layer of security.
The six largest banking groups were forced to introduce this new system at the point of payment, by warning customers when the account name entered doesn’t match the account details.
Smaller banks aren’t required to introduce CoP at all though the likes of Monzo and Starling implement it voluntarily. CoP was originally expected in June 2019 but multiple delays meant this wasn’t introduced until 30 June 2020.
Which? wants all banks to sign up for CoP, not just the six largest banking groups, to prevent fraudsters from targeting banks that don’t offer it, and ensure consumers see consistency among all providers.
How does CoP work?
Previously, all banks processed online transfers using the account details only and took no notice of the name entered.
This flaw causes misdirected payments if people accidentally enter the wrong digits and can be abused by criminals who impersonate trusted organisations to trick people into transferring money directly into accounts they control.
When CoP is in place, your bank checks if the full name matches the details held by the recipient’s bank. If the name entered doesn’t match - or only partially matches - the account details, you’ll know something is wrong.
You can still choose to ignore these warnings and authorise the payment regardless, though banks make a point of stating that you do so at your own risk.
What messages will you see?
There are four possible CoP messages, though not all banks use identical wording:
- Yes, exact match – the details match and you can proceed with the payment.
- Partial or close match – some of the details are incorrect so look for spelling mistakes or typos.
- No match – the details don’t match so cancel the payment until you’ve made further checks
- No name check – it has not been possible to check the name eg because the receiving bank doesn’t offer CoP.
CoP checks payments using the Faster Payments system (including standing orders) and CHAPs (high-value payments), whether they are made online, via your mobile banking app or in a branch.
It doesn’t apply to payments that are not in pounds sterling or BACS payments (including direct debits).
How does CoP prevent misdirected payments?
The most obvious benefit to CoP is that it significantly reduces the risk of you making a bank transfer to the wrong account.
Our most recent current account survey of the general public, in September 2020, found that 12% of people paid into the wrong account by accident in the past 12 months. We hope to see this figure drop when we ask again next year.
If your own bank or the receiving bank doesn’t yet have CoP in place, be extra vigilant when adding payment details, particularly for large transfers.
Banks and building societies who offer Faster Payments must follow the credit payment recovery process if you do make a mistake, by contacting the receiving bank on your behalf within two days of you reporting the mistake.
As long as the recipient of the misdirected payment does not dispute your claim, you’ll be refunded within 20 working days of notifying your bank.
However, there are no guarantees you’ll recover the misdirected money - if the recipient claims the money is rightfully theirs, you should seek legal advice and may need to take court action against them.
How does CoP prevent fraud?
It is hoped that CoP will also protect people from losing money to bank transfer fraud, also known as authorised push payment (APP) fraud.
A common tactic used by impersonation scammers is to trick victims into moving money to a ‘safe’ account. CoP can help ‘break the spell’ by highlighting when the name entered isn’t as expected.
Fraudsters will try to convince targets to ignore these warnings, for example, by claiming that a business name is different because it’s a related trading name, or they could set up a new business with a name that’s deceptively similar to a legitimate one.
But banks will never ask you to disregard CoP warnings so it’s important that customers take these messages seriously.
Which banks and building societies offer CoP?
The payments regulator told the six biggest UK banking groups to implement CoP: Barclays, Lloyds Banking Group, NatWest Group (including RBS), Santander, HSBC Group (excluding M&S Bank) and Nationwide Building Society.
Monzo and Starling were the first banks to sign up for CoP voluntarily. Revolut - an e-money firm - started offering CoP checks in January 2021.
Later in 2021, we saw The Co-operative Bank (April) and TSB (June) follow suit.
Metro Bank and Virgin Money still do not offer CoP, even though this would help protect their customers from sending money to the wrong account.
What if CoP fails to work?
New systems can have teething problems so don’t assume CoP will always work.
In November 2020, Which? Money discovered that certain Starling customers had missed out on these checks for an entire month following a system update.
We expect banks to follow Starling’s lead and reimburse any customers who lose money as a result of CoP failures.
Is mobile banking safe?
The biggest threat to banking security comes from using a compromised device. And this applies whether you’re using a computer or a smartphone.
Although phones are more easily lost or stolen, apps are in some ways safer than using a computer to log in to your bank account. This is because apps in the official app stores are vetted by Apple and Google, whereas PCs can run software from any source.
It's also more difficult to plant a keylogger in an Android or iOS device (software used to track every key you press and potentially steal usernames and passwords).
Smartphones can be located, locked and even wiped of data remotely if they are lost or stolen (by registering for Google ‘Find My Device’ and Apple ‘Find My iPhone’).
Of course mobile banking isn’t risk-free - fakes can turn up in app stores and malware does exist that specifically targets mobile phones.
But, thanks to competition from innovative mobile-only banks Monzo and Starling, many high street banks have started to improve app security features:
Instant card freezing
Smartphone users tend to keep their devices with them, so it's a quick way to contact your bank if something goes wrong.
Instant card freezing, where you can temporarily block your card in-app without having to call or visit a branch, is now offered by all of the banks we tested except The Co-operative Bank, TSB and Virgin Money.
Freeze specific purchases
A handful of banks - Barclays, Lloyds and Starling - also let you block other purchases such as:
- Payments made outside of the UK, including ATM withdrawals;
- Remote purchases made online, in-app, over the phone and by mail order;
- Gambling payments to all relevant retailers including gambling websites and betting shops.
Real-time spending notifications
Monzo and Starling are the only current account providers offering real-time notifications - meaning customers get alerts via the apps every time a payment comes in or out.
These notifications make it much easier and quicker to spot fraudulent transactions.
High-street banks are working towards this, for example, Barclays alerts mobile banking app users to large credit or debit payments and overseas payments. But most are a way behind the digital challenger banks.
Find out more: challenger banks - we review the new wave of mobile-first banking brands
Phone scams - is it really your bank calling?
Telephone fraud, or vishing, is particularly sneaky. Fraudsters call up pretending to be the police or your bank’s fraud department and warn you that your account has been compromised to trick you into revealing your full password, or persuade you to move your money somewhere ‘safe’.
Some tell you to call the genuine number for your bank to ‘verify’ the call, then play a dialling tone while they stay on the line, before posing as your bank and conning you into giving them sensitive information.
They may use cheap software to make the call seem legitimate, for example, number spoofing software displays false caller-ID information to trick you into thinking that their number belongs to your bank or another legitimate business.
Criminals may also attempt to trick you into installing remote-access software (brand names include TeamViewer and LogMeIn) to ‘fix’ a spurious problem. This software is used by legitimate businesses - including the Which? Tech Support team and many IT support firms. But criminals abuse accounts to hack into email and bank accounts.
Call-blocking services and phones offer some respite from unwanted calls but the easiest way to stay safe is to hang up and call back on a phone number you trust such as the number your bank provides on the back of your debit card.
How can you protect yourself against bank fraud?
Criminals are constantly inventing new ways to try to get their hands on your money.
Stay one step ahead by learning these seven ways to spot a scam and follow these ten tips to keep the cash in your bank account safe:
1. Take your time
Treat unsolicited phone calls, letters, emails and texts with caution.
Fraudsters use pressure tactics to persuade you to share personal and financial details so don’t let anyone rush you and never share your Pin or online passwords (your bank will never ask for these in full).
2. Use a phone number you trust
If you’re in any doubt as to who’s calling, hang up. Make sure the line is clear, and then call the organisation on a phone number you trust, such as the one on the back of your payment card.
3. Use antivirus software and keep your devices up to date
Make sure your computer or laptop is protected with a good security program and antivirus software.
Keep all devices, apps and browsers up to date. Updates contain security patches for new vulnerabilities. It’s important not to carry on using an old device that’s not getting updates: Windows 7 won’t be getting any more updates after January 2020, for example, and you will be at risk if you carry on using this for online banking after this date.
Visit our guide to choosing antivirus software so you can find the best package to keep you safe.
4. Create strong passwords
It’s tempting to use the same password for lots of different websites and accounts, but this is a bad move: passwords get stolen in data breaches and sold to other hackers, who use software to try them on lots of websites in what’s called a password stuffing attack.
Don't write your passwords down in full or share them with anyone. Consider using a password manager such as LastPass or Dashlane to generate unique passwords.
Find out how to create the perfect password.
5. Use a secure network
If you have a wireless network at home, activate the security settings on your router to prevent others from accessing it. Avoid accessing your bank account from a public computer or unsecured wireless network.
If you do use a public computer, never leave it unattended and always log out properly when you've finished your banking session.
6. Be wary of links
Avoid clicking links and downloading attachments from emails and texts.
Phishing emails are sent by criminals posing as genuine companies such as a bank or HMRC. Clicking on a link takes you to a fake website where fraudsters steal financial or personal details.
Or, the link might install malware on your computer as another means to capture details. Thieves can steal your password by tricking you into installing a program on your computer that secretly records your password when you type.
Type web addresses into the address bar of your browser manually instead.
7. Browse safely
Look for a padlock symbol in or next to the address bar in your browser and that the web address changes from starting with 'http' to 'https'.
This doesn't guarantee a site can be trusted, but it does mean the website is encrypted, so no one else but that website can read any card details or passwords you enter.
Some sites have an extended validation (EV) certificate, shown as a padlock alongside the company name. Again, it’s not perfect, but it requires the company to undergo more rigorous checks.
8. Remove personal info from social media
Don't leave your email address, date of birth, or phone number on sites such as Facebook and Twitter – it increases your risk of identity theft. Only accept friend requests from people you know.
Someone posing as an interesting person asking to become your friend may actually be an ID thief.
Check your privacy settings carefully and make sure only people you trust can view your profile.
9. Scan your statements
Regularly check your bank account and credit card statements for suspicious transactions.
If you spot something unfamiliar, report it to your bank or card provider as soon as you can.
10. Use ATMs inside the bank
Try to shield your Pin in case there are cameras fitted by criminals above the keypad. Or, stick to in-branch machines, which are less likely to have been tampered with than one on the high street.
What to do if you're a victim of bank fraud
Check your account online regularly to spot any irregularities and contact your bank as soon as possible if you think you've been a victim of fraud.
Also contact Action Fraud on 0300 123 2040.
Your bank is legally required to refund unauthorised transactions and restore your account to the state it would have been in had the transaction not be made unless it can prove that you've acted fraudulently or been grossly negligent.
They can't refuse to refund you based on a hunch - they must investigate properly - but banks don't always get this right. Which? Money has obtained exclusive data revealing the card providers handling fraud claims poorly.
If you're unhappy with the way your bank has dealt with your complaint, you can refer the matter to the Financial Ombudsman Service (FOS).
Which? campaigns for scam victims to be reimbursed
Not all scam victims are legally entitled to compensation.
For example, if a fraudster called up, posing as your bank's fraud department, and convinced you to move your money into a new account (by pretending yours had been compromised) your bank may not be liable to cover losses because you authorised the payment.
Victims of bank transfer scams can lose eye-watering sums so in 2016 we submitted a super-complaint on bank transfer scams to the financial regulator, demanding banks do more to protect customers who are tricked into sending money to fraudsters.
Thanks to our campaigning, a new voluntary code promising refunds for victims of authorised push payment (APP) scams came into effect in May 2019. Most major banks have signed up to the code, but a few are yet to do so.
Read more about the new scam refunds code and find out if your bank has signed up.