By clicking a retailer link you consent to third-party cookies that track your onward journey. This enables W? to receive an affiliate commission if you make a purchase, which supports our mission to be the UK's consumer champion.

Which? banking security test: which banks sit at the bottom?

Which? reveals the best and worst banks for online security
Chiara CavaglieriSenior researcher & writer

Banks must lead the battle against online crime, yet the latest security test from Which? Money has revealed a big gap between the best and worst.

All providers have controls in place that we can't detect and they must balance security measures with convenience to ensure customers enjoy a seamless experience. But with so much at stake, we want them to prioritise safety above all else.

Which? has long called for banks to use a second authentication factor at login (not just static data such as a username and password). This is now enforced under regulations known as strong customer authentication (SCA) yet we found that one bank - TSB - has failed to fully implement this crucial layer of defence.

When we reported this non-compliance to the Financial Conduct Authority (FCA), it told us it doesn't comment on specific firms and would not confirm if TSB or any other firms have been granted an effective SCA extension in relation to online banking.

See the full online banking security table to check scores for 13 leading current account providers.

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy


Tesco Bank worst for banking security

Tesco Bank has the lowest score of 46%.

Though it is no longer accepting new current account customers, existing users will be disappointed that it has slumped to the bottom of our table.

6point6 found multiple security headers missing (these protect against a range of cyberattacks, by telling your browser how to behave when it communicates with the website).

They also uncovered an internal staff website that was accessible from anywhere. This has since been closed so that only employees can access it but it should never have been visible to our testers as it can give scammers a way in.

Users can save a trusted device instead of entering a one-time passcode (OTP) at every login. This may be convenient, but as it never asks customers to re-authenticate that device and there's no option to edit a list of trusted devices (the bank told us this is in the works), we couldn't award it full marks.

Tesco also failed to block us from logging in to the website from two computer networks at the same time and we weren't logged out when we switched to a different website or used the forward/ back button to leave the session and return to it.

A Tesco Bank spokesperson said: 'The security of our customers' accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money.

'Not all of these controls are obvious or visible to customers, but each of them serves to protect customers and all are in line with industry standards.'

'We use the latest technology to protect and manage the security of Online Banking and our Mobile Banking App and all our controls are constantly reviewed to ensure they remain fit for purpose, giving customers peace of mind they can bank safely and securely with us.'

TSB fails to implement crucial security checks

TSB has one of the lowest scores (51%) for the second year running (see here for last year's test results).

It may be the only bank to pledge to refund all innocent fraud victims, but it was also the only bank in our test that was not SCA-compliant.

Asking for static account details gives limited protection against attacks. We're shocked that it has been so slow to implement this protection.

The bank initially told Which? that it's SCA-compliant but when pressed, it revealed that SCA is still being rolled out for existing customers and couldn't say when this will be completed.

The forced upgrade has since been completed for mobile app users but is still being rolled out for online banking users.

Once fully rolled out, all TSB users must enter an OTP at login though they can choose to 'trust' their device for 90 days to bypass this check.

Other issues we found included support for outdated versions of Transport Layer Security' (TLS). These ensure communication over the internet is scrambled so that only you and your bank can read it. The bank said these are supported as part of a balanced approach to security and being inclusive to customers.

We found a missing security header - one that would help to lessen the impact if a hacker injected malicious scripts into trusted websites. We flagged this problem last year as well. The bank said it performs regular testing to prevent this and other types of attacks.

And our experts noted that scripts loaded from eight external sources (although one was its parent company Group Sabadell). This was the most of any bank tested by some margin.

A TSB spokesperson said: 'TSB customers who use their mobile app already have SCA and we're continuing to roll it out for those who use internet banking.'

Best banks for online banking security revealed

At the other end of the table, challenger bank Starling came out on top with a score of 85%.

Most Starling customers run their accounts from its smartphone app but our experts found nothing concerning with its recently launched online banking website. Unlike most banks, there were no issues with missing security headers and it scored top marks for encryption.

Barclays, HSBC and First Direct tied for second spot, each with a score of 78%.

Barclays supports the latest version of TLS and encourages users to log in using the PINsentry card reader (physical or integrated into the app). Users who choose to enter a code sent via text at login have limited functionality (they can't change their details or open a new account and are unable to make new, high value or international payments).

First Direct and parent bank HSBC have the same score, though not identical security.

Both offer a 'Secure Key' (again, this is physical or integrated into the app) to log in, pay someone new or change personal details.They scored top marks for cipher strength but don't support the latest version of TLS. And we think pre-set security questions for forgotten passwords are too basic though there are plans to address this.

We'd like First Direct to stop asking users to confirm they want to log out (instantly closing a session is safer) and stop allowing 10 minutes' inactivity before timeout. We also want HSBC to ask users to log in again when they switch to a different website and use the back button to return.

We worked with independent security experts 6point6 to rate the largest current-account providers on four main criteria: encryption (40%), login (30%), account management (15%) and navigation (15%). The tests were performed in September and October 2020.

  • The full investigation appeared in the January 2021 of Which? magazine. Try Which? to have our impartial, jargon-free insight delivered to your door every month.

More on this

Related articles

About Us

Which? Limited is registered in England and Wales to 2 Marylebone Road, London NW1 4DF, company number 00677665  and is an Introducer Appointed Representative (FRN 610689) of the following:


1. Inspop.com Ltd for the introduction of non-investment motor, home, travel and pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635). Inspop.com Ltd is authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635) and is registered in England and Wales to Greyfriars House, Greyfriars Road, Cardiff, South Wales, CF10 3AL, company number 03857130. Confused.com is a trading name of Inspop.com Ltd. 


2. LifeSearch Partners Limited (FRN656479), for the introduction of Pure Protection Contracts and Private Health Insurance, who are authorised and regulated by the FCA to provide advice and arrange Pure Protection Contracts and Private Health Insurance Contracts.  LifeSearch Partners Ltd is registered in England and Wales to 3000a Parkway, Whiteley, Hampshire, PO15 7FX, company number 03412386.


3. HUB Financial Solutions, for the introduction of equity release advice and an annuity comparison service, who are authorised and regulated by the Financial Conduct Authority (‘FCA’) to provide advice and guidance on financial products for those who have retired or are approaching retirement (FCA Firm Reference Number: 455713). HUB Financial Solutions is registered in England and Wales to Enterprise House, Bancroft Road, Reigate, Surrey RH12 7RP, company number 05125701.


4. Alan Boswell Insurance Brokers Ltd (FRN 301), for the introduction of non-investment landlord insurances, who are authorised and regulated by the Financial Conduct Authority to provide advice and arrange insurance contracts. Alan Boswell insurance brokers Ltd is registered in England at Prospect House, Rouen Rd, Norwich NR1 1RE, company number 02591252.


Other financial services:

Mortgage service provided by London & Country Mortgages (L&C), Unit 26 (2.06), Newark Works, 2 Foundry Lane, Bath BA2 3GZ. London & Country are authorised and regulated by the Financial Conduct Authority (registered number: 143002). The FCA does not regulate most Buy to Let mortgages. Your home or property may be repossessed if you do not keep up repayments on your mortgage.


We do not make, nor do we seek to make, any recommendations or personalised advice on financial products or services that are regulated by the FCA, as we’re not regulated or authorised by the FCA to advise you in this way. In some cases, however, we have included links to regulated brands or providers with whom we have a commercial relationship and, if you choose to, you can buy a product from our commercial partners. 


If you go ahead and buy a product using our link, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Please note that a link alone does not constitute an endorsement by Which?.