Online banking security put to the test – how safe is your bank's website?

Which? investigation tests the resilience of the biggest current account providers' apps and websites
Chiara CavaglieriSenior researcher & writer

Gaps in bank security could expose some people to opportunistic scammers, warns Which?, after testing the websites and mobile apps of 13 leading current account providers. 

Building a financial website or app that is watertight without being clunky is no mean feat. Banks are targeted at every angle, from infected devices to compromised login details. Even their own customers can pose a threat, if they unwittingly give away sensitive data to criminals.

Our latest online banking security investigation tested banks' defences against a range of possible attacks – and the lowest-ranked providers fell short of the high standards we think you have a right to expect.

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

Banks' websites and apps under the spotlight

We assessed the apps and websites of 13 of the largest current account providers in January and February 2024, with help from independent computer security experts. 

Although we weren’t able to test back-end systems – and all banks deploy multilayered security – we were able to compare them on four key areas, which were amalgamated to give a total score.

  1. Security best practice (30% of total score): we checked for best-practice security headers that protect against cyberattacks by telling your web browser how to behave when it communicates with the bank’s website. 
  2. Login (30%): we compared banks on the information they require to access accounts and how easy it is to recover usernames and passwords. 
  3. Account management (25%): we tested security for setting up a new payee, changing your password and editing account details. 
  4. Navigation & logout (15%): we marked banks down for poor website session management if they let us access accounts from multiple browsers, IP addresses or devices at the same time.

See how your bank fared by checking our full table of bank security test results.

Weaknesses in bank security 

TSB and the Co-operative Bank are in the bottom two for both mobile app and online security.

The most serious problem our tests uncovered was a ‘medium-risk’ issue on the TSB app, which has the lowest score overall (54%). Its improper handling of sensitive data meant that it could be read by other apps running on the phone. The app stores users’ credentials in an insecure manner, which makes it more likely that other apps could access them. 

TSB told Which? that the matter was under review and a fix will be ‘considered in the future’. Given the level of risk here, we would expect a stronger response.

The Co-operative Bank is the lowest-ranked bank for mobile app security (61%). 

It's the only provider that failed to require two-factor authentication (2FA) login on a test laptop that our researcher had never used before.

This is compliant, due to an exemption in the regulations, and the bank uses ‘device profiling and behavioural data’ to step up security when needed. But we think this is particularly poor and want it to enforce 2FA for every login. 

This issue is all the more striking given that the Co-operative Bank also fails to block users from setting very weak passwords and returns different error messages depending on whether the username was valid or not (meaning an attacker could build up a list of valid usernames then try commonly used weak passwords against each of them).

Lloyds generally performed fairly well in our tests, but it was the only bank that failed to log out website users after five minutes of inactivity, despite this being a regulatory requirement. The bank told Which? that this makes things easier for vulnerable customers.

Banks must stay one step ahead of scammers

Which? is calling for TSB and the Co-operative Bank to urgently address the issues its researchers have uncovered, so that sophisticated fraudsters aren't able to take advantage of potential holes in security systems to target innocent victims.  

Sam Richardson, deputy editor of Which? Money, said: 'With many people increasingly banking online or on their phones, it’s crucial that the banks we trust with our money have security protections that are up to scratch. 

'While our investigation found no major security issues, there were some areas of concern that we think the banks in question need to urgently address, so that sophisticated scammers can’t use loopholes to target innocent victims. 

'With fraudsters still relentless in their pursuit of our money, and a general election looming, the next government must make fighting fraud a national priority, with a Fraud Minister installed to work across multiple government departments.'

Which banks came out on top?

NatWest and Starling tied for top online banking score (87%), both achieving four stars for login and the maximum five stars for everything else we tested.

The highest scorers for mobile banking were HSBC (78%) and Barclays (74%). 

HSBC got solid scores for both its app and website, and – unlike many of its high street rivals – it doesn't rely on SMS for login. We didn't find any issues with its logout or navigation, either.

Barclays finished second in the mobile app rankings, with a highly respectable total score of 74%. 

However, it only managed three stars for navigation and logout, largely due to website management issues Which? identified last year (letting users access accounts from multiple browsers, IP addresses or devices at the same time which could be flagged as a potential attack by cybercriminals) –  despite claiming these would be addressed in early 2023.

The bank told Which? it uses other controls to assess the risk profile of devices accessing online banking, and is planning to add this additional layer of protection later this year.

Banks respond to Which?'s findings

We put our findings to the banks we investigated.

TSB said: 'We continue to strengthen the security of our internet and mobile banking while delivering a positive and convenient user experience for customers. That’s reflected in our high app store ratings.'

The Co-operative Bank said: 'We are constantly reviewing and enhancing our security controls and we will be delivering a number of further improvements in 2024 to give our customers peace of mind that they can continue to bank safely and securely with us.'

 Lloyds Banking Group said: 'We have robust, multi-layer security across our online and mobile banking services to protect against potential cyber security threats. 

'Logons from new devices are verified through secondary verification to the customer's registered phone to establish the trust for any devices used. Given this, there are no customer untrusted devices.'

Six tips to stay safe when using online banking

  1. Protect your mobile: having your phone stolen needn’t put your money at risk. Add a unique Pin to your Sim card, register for Google’s Find My Device or Apple’s Find My iPhone, and disable preview notifications. These flash up messages even when your phone is locked.
  2. Don’t use an out-of-date device: updates contain security patches for new vulnerabilities, so if you bank online, don’t use a device that’s no longer supported. Use antivirus software: check our antivirus reviews before you choose.
  3. Choose strong, unique passwords: avoid repeat or simple passwords. Use a password manager if you struggle to remember them. Dashlane and LastPass are decent free options – make sure your master password is secure.
  4. Keep your phone and bank cards separate: never leave your mobile phone and bank cards unattended together – a thief could pass security checks when armed with both.
  5. Check your social media profiles for details: remove personal data (email, date of birth, phone numbers) from online profiles, as this raises your risk of identity theft. Only accept friend requests from people you know. What you put online is public, so never use anything that’s out there in a password or security question.
  6. Act quickly: if you spot an unauthorised payment or changes you don’t recognise, report it immediately. Many banks let you freeze your debit card via their app or they offer a 24/7 helpline to report lost and stolen cards.

More on this

Related articles