Press release

Which? reveals best banks for online security - and those where gaps could help fraudsters get their hands on your cash

Weaknesses in some banks’ security could leave customers exposed to scammers, a new Which? investigation has found, as the consumer champion rates the best and worst firms for keeping customers safe 
7 min read
Press Team

With more people than ever before using mobile banking, criminals are increasingly viewing mobile phones as gateways to consumers’ personal finances.

Which? researchers tested banking website and app security across four key criteria: login procedures, security best practice, account management and navigation and logout, which were amalgamated to give a total score. They were not able to test banks’ back-end security systems.

While all firms do use multilayered security that helps reduce the likelihood of major security breaches, Which? believes that some firms that finished towards the bottom of the rankings fell short of the high standards customers should expect.

TSB scored 54 per cent for its mobile app security and 67 per cent for its online security - the lowest and second-lowest scores, respectively. The firm was the only one to score just two stars for online account management, and just two stars for security best practice for its app. 

The most serious problem the security best practice tests discovered was a ‘medium-risk’ issue on the TSB app. Its improper handling of sensitive data meant that it could be read by other apps running on the phone. The app stores users’ credentials in an insecure manner which makes it more likely that other apps could access them. 

TSB told Which? that the matter was under review and a fix will be ‘considered in the future’. However, given the level of risk here, Which? would expect a stronger response. 

Researchers also uncovered encryption issues with outdated versions of third-party libraries - the library of computer code used by apps and websites - and a weakness related to support for devices running Android 8.0 and below, while TSB also specifically asks users to ‘trust’ a device but then offers no way to ‘distrust’ it afterwards. 

The bank also sent a phone number in an SMS alert, which could be replicated by scammers. TSB told Which?: "We have removed phone numbers from the vast majority of SMS alerts with this alert being the final in plan for updating to remove the phone number." 

Finally, TSB’s password requirements are still only six characters and users can still choose a range of insecure passwords, which are easier for scammers to crack.  

Which? also uncovered problems with The Co-operative Bank’s security measures. The bank came bottom of the online security table, with a score of just 61 per cent. It got a very average three stars for both account management and navigation. 

When it came to security on its mobile app, The Co-operative Bank came second-last, with a disappointing score of 57 per cent. The firm was one of three rated average (three stars) for login security, and it was the only bank to fail to require a two factor authentication login on a test laptop. The bank also fails to block customers from setting weak passwords. 

Researchers could still log in from two different IP addresses at the same time without the older session being terminated, and, like TSB, there were still phone numbers in alerts and security codes sent via SMS. The bank said that messages for high-risk changes to your account, such as a resetting of login details, were being reviewed, along with its ‘authentication strategy to move to app authentication and reduce the reliance on SMS’.

Lloyds was the only bank that failed to log out website users after five minutes of inactivity, despite this being a regulatory requirement. The bank told Which? that this makes things easier for vulnerable customers. 

At the top of the pile for online security were Starling and NatWest/RBS, with both posting an impressive total score of 87 per cent. While both firms scored four stars for login security online, they both posted a full five stars for security best practice, account management and navigation. 

The best performing bank for mobile app security was HSBC, with a total score of 78 per cent. HSBC posted solid scores for both its app and website, and unlike many of its high street rivals, it does not rely on SMS for login, and researchers found no issues with logout or navigation. 

While Barclays finished second in the mobile app rankings, with a highly respectable total score of 74 per cent, it is still yet to fix the website management issues Which? identified last year, such as letting users access accounts from multiple browsers, IP addresses or devices at the same time which could be flagged as a potential attack by cybercriminals, despite claiming these would be addressed in early 2023.

The firm told Which? it uses other controls to assess the risk profile of devices accessing online banking, and is planning to add this additional layer of protection later this year.

Which? is calling for TSB and The Co-operative Bank to urgently address the issues its researchers have uncovered, so that sophisticated fraudsters are not able to take advantage of potential holes in security systems to target innocent victims. 

Banking trade body UK Finance’s most recent half year fraud report revealed that losses from mobile banking fraud ‘increased by 17 per cent to £18.7 million in the first six months of 2023’ - the biggest recorded increase since it began collecting data on this fraud type in 2015. The number of cases shot up by 32 per cent to 8,078, also the highest total recorded.

With a General Election looming, the consumer champion is calling on the next government to appoint a dedicated Fraud Minister and make fighting fraud a national priority. This minister must use their authority to work across multiple government departments, and with industry, to lead a clear strategy to stop organised crime online and focus on fraud as a fundamental part of the UK’s wider crime strategy.

Sam Richardson, Deputy Editor of Which? Money, said: 

“With many people increasingly banking online or on their phones, it’s crucial that the banks we trust with our money have security protections that are up to scratch. 

“While our investigation found no major security issues, there were some areas of concern that we think the banks in question need to urgently address, so that sophisticated scammers can’t use loopholes to target innocent victims. 

“With fraudsters still relentless in their pursuit of our money and a General Election looming, the next government must make fighting fraud a national priority, with a Fraud Minister installed to work across multiple government departments.”

-ENDS- 

Notes to Editors 

Which? assessed the apps and websites of 13 of the largest current account providers in January and February 2024, with help from independent computer security experts. 

Which? rated banks across four categories: login (30%), encryption (30%), account management (25%), and navigation and logout (15%). 

The full results for online and app banking security can be found here.

6 tips to stay safe 

  1. Protect your mobile. Having your phone stolen needn’t put your money at risk. Add a unique Pin to your Sim card, register for Google’s Find My Device or Apple’s Find My iPhone, and disable preview notifications. These flash up messages even when your phone is locked.
  2. Don’t use an out-of-date device. Updates contain security patches for new vulnerabilities, so if you bank online, don’t use a device that’s no longer supported. Use antivirus software: see reviews at which.co.uk/antivirus.
  3. Choose strong, unique passwords. Avoid repeat or simple passwords – too many banks failed to block this. Use a password manager if you struggle to remember  them. Dashlane and LastPass are decent free options – make sure your master password is secure.
  4. Keep your phone and bank cards separate. Never leave your mobile phone and bank cards unattended together – a thief could pass security checks when armed with both.
  5. Check your social media profiles for details. Remove personal data (email, date of birth, phone numbers) from online profiles, as this raises your risk of identity theft. Only accept friend requests from people you know. What you put online is public, so never use anything that’s out there in a password or security question.
  6. Act quickly. If you spot an unauthorised payment or changes you don’t recognise, report it immediately. Many banks let you freeze your debit card via their app or they offer a 24/7 helpline to report lost and stolen cards.

Right of replies 

A Lloyds Banking Group spokesperson said: 

“Helping to keep our customers’ money and data safe is our priority and we have robust, multi-layer security across our online and mobile banking services to protect against potential cyber security threats. We employ world-class experts in the cyber-security field and continually invest to deliver the right balance of online security measures, customer experience and accessibility.

“Whilst written in the Payment Systems Regulator’s regulation for Secure Customer Authentication, Lloyds Banking Group has made the Regulators aware that we would not enforce this on Payments and Logon given the considerations for vulnerable customers and businesses that may need longer than that period to complete the transaction.

“Logons from new devices are verified through secondary verification to customers registered phone to establish the trust for any devices used. Given this, there are no customer untrusted devices.”

TSB said: 

“We continue to strengthen the security of our internet and mobile banking while delivering a positive and convenient user experience for customers. That’s reflected in our high app store ratings.”

The Co-operative Bank said: 

“The security of our customers' accounts is always our top priority. Customers can be assured we have robust security measures in place to protect them and their money.

“We are constantly reviewing and enhancing our security controls and we will be delivering a number of further improvements in 2024 to give our customers peace of mind that they can continue to bank safely and securely with us.”

About Which?

Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful. 

The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at endorsementscheme@which.co.uk.