Which? has rated 13 of the UK's biggest banks on the security of their online
and mobile banking systems. How does your provider's digital defences measure
up?
With so much of our banking now done on our computers and mobile phones, it's important that those services are secure.
Which? regularly rates the security of the online banking and mobile banking services from major banks and building societies who offer current accounts.
In our latest test, volunteers carried out a series of tasks, while a team of experts from independent security experts tested each bank's defences.
The tables below shows how 13 current account providers fared for the main factors we tested in January and February 2024, for both online and mobile banking.
These ratings only take into account security – if you're looking for the best current accounts, as rated by customers and our experts, click here.
Online banking security rated
NatWest
87%
★★★★☆
★★★★★
★★★★★
★★★★★
Starling
87%
★★★★☆
★★★★★
★★★★★
★★★★★
HSBC
80%
★★★★★
★★★★☆
★★★★☆
★★★★★
Barclays
78%
★★★★☆
★★★★★
★★★★☆
★★★★★
first direct
74%
★★★★☆
★★★★★
★★★★☆
★★★★★
Nationwide
74%
★★★★★
★★★★★
★★★☆☆
★★★☆☆
Lloyds Bank
69%
★★★★☆
★★★★☆
★★★☆☆
★★★★★
Table note: Lloyds includes subsidiaries Halifax and Bank of Scotland. NatWest includes Royal Bank of Scotland and Ulster Bank.
Total score made up of login (30%), security best practice (30%), account management (25%) and navigation and logout (15%). The percentage figures illustrate how important that area of security was to the overall test score.
How do we test digital banking security?
All providers have processes that aren't visible in the type of testing we carried out, so we can only analyse security features available to the customer, but our tests compared banks on the following:
We rated banks on the information they require for you to access accounts and how easy it is to recover usernames or passwords.
We checked whether they allow you to choose insecure passwords or if they prevent the use of password managers (these help you keep track of multiple passwords securely and avoid bad practices such as using weak/common passwords).
Passwords alone aren't enough. We awarded top marks if banks ask customers to use a card reader or their mobile banking app to log in every time. Many send a one-time passcode via SMS, but we view this as the least secure way to authenticate customers because criminals are increasingly intercepting such texts.
We tested whether banks have best-practice security headers are in place as these protect against a range of cyberattacks by telling your browser how to behave when it communicates with the website.
Banks were penalised if they support any outdated versions of 'Transport Layer Security (TLS)', where data is scrambled so that only you and your bank can read it, or whether they have weak ciphers (algorithms for encrypting and decrypting data).
We searched for bank domains or subdomains (eg computing.which.co.uk is a subdomain of which.co.uk) that use outdated – and therefore potentially vulnerable – software or internal sites that shouldn't be accessible on the internet.
And we noted where scripts (programming language) were loaded from external sources. We prefer this to be kept to an absolute minimum because while banks have rigorous due-diligence processes, hackers might compromise third parties.
A bank's mobile app needs to be able to detect whether it's running in a safe environment or not so we checked if their apps would detect and refuse to run on ‘rooted’ phones and tablets (where in-built protections have been compromised to install unapproved apps) and analysis tools. These tools are useful to security researchers, but hackers could use them to find vulnerabilities.
We counted the number of ‘risky permissions’ users were asked to agree to. These permissions allow bank apps to carry out big changes such as activating the microphone, obtaining your contacts and changing network settings.
Banks also had to meet the latest email security standards as these help your email provider block malicious messages claiming to be from ‘your bank’.
Setting up a new payee and editing account details should require additional checks to verify it's really you making changes.
We want banks to send instant notifications when details are altered to alert you to a potential breach.
We marked them down if these messages included a phone number or web link, as scammers often replicate texts and emails to trick you into calling them or entering your details on a fake website.
If banks never included numbers or links in communications, it would make scam attempts easier to spot.
You should only be able to log in to your bank from one computer at a time. Banks were penalised for poor 'session management' if they let us access accounts from multiple browsers or computer networks at the same time – this should be flagged as a potential attack.
Banks should log you out after five minutes of inactivity, but not all of them did in our test. We also want them to allow one-click logout rather than ask you to confirm the decision first. While asking for confirmation meets industry guidance, we think it's safer to instantly close the session.
Is mobile banking safe?
The biggest threat to banking security comes from using a compromised device. And this applies whether you're using a computer or a smartphone.
Although phones are more easily lost or stolen, you can mitigate the risk by registering for Google 'Find My Device' and Apple 'Find My iPhone' so that it can be located, locked and even wiped of data remotely if it's lost or stolen.
It's difficult to plant a keylogger in an Android or iOS device (software used to track every key you press and potentially steal usernames and passwords).
But mobile banking isn't risk-free – fakes can turn up in app stores and malware does exist that specifically targets mobile phones. Always download bank apps from the official app stores as these are vetted by Apple and Google, and check the reviews carefully.
Keep your software updated as manufacturers and app developers will usually release software updates which contain security patches and new security features.
Make use of any security features offered by your bank or built into your mobile phone:
Protect your mobile Add a unique Pin to your Sim card; register for Google’s Find My Device or Apple’s Find My iPhone; and disable preview notifications. These flash up messages even when your phone is locked.
Instant card freezing All of the banks we tested let you temporarily block your card in-app without having to call or visit a branch, except The Co-operative Bank and Virgin Money.
Block certain payment types If you bank with Barclays, Lloyds or Starling you can also block other purchases such as: payments made outside of the UK; remote purchases made online, in-app, over the phone and by mail order; payments to gambling websites and betting shops.
Real-time notifications These notifications make it much easier and quicker to spot fraudulent transactions. High-street banks are working towards this but most are still a way behind the digital challenger banks.
Caller verification Only Barclays and Monzo offer security features designed to help you spot phone scammers at present. If someone calls claiming to be from Barclays, you can ask them to send a secure notification to your Barclays app via 'app ID'. If you're a Monzo customer, check the 'Privacy & security’ section of your profile and ‘Monzo Call Status’ will show if someone from the bank is genuinely on the phone to you or not.
What is Strong Customer Authentication?
When you log into online banking, or use your card to pay online, you may notice more checks from your bank.
Strong Customer Authentication (SCA) involves multiple ID checks such as providing a password plus a single-use passcode generated on a card reader or sent via text message to your mobile phone.
Banks must identify every customer using at least two of these independent factors:
something only you know (a password or Pin)
something only you possess (a card reader or registered mobile device) and
something only you are (a digital fingerprint or voice pattern).
Some banks offer a physical device to generate unique one time passcodes (OTPs) that serve as evidence of 'possession'.
The Barclays PINSentry and Nationwide card reader require you to insert your debit card to generate the OTP, while the HSBC/First Direct Secure Key devices generate codes when you enter a Pin. These banks also offer digital versions of their card readers/devices for mobile users.
Most banks also let you authenticate yourself at login via the mobile banking app (you can usually simply use fingerprint or face ID to let them know it's you logging in).
Another option is OTPs sent via text message (SMS) to a mobile phone but we want providers to phase these out as SMS is vulnerable to Sim-swap attacks, where criminals intercept messages.
Nationwide, NatWest, Santander, The Co-operative Bank, TSB and Virgin Money all dropped points in our 2024 analysis for continuing to use SMS to verify customers at login.
Which? has previously raised concerns that banks could exclude some customers because they don't own a mobile phone or have decent signal.
It's up to each bank and card issuer which methods they use, however, the Financial Conduct Authority (FCA) has said that customers without phones or mobile reception should not be excluded.
Your bank must make it clear that they offer alternative ways to authenticate yourself.
If you are struggling to receive codes sent by your bank via SMS due to bad reception, some networks offer Wi-Fi Calling which lets you connect via your wireless broadband.
A number of providers – Lloyds and TSB – ask if you want to 'trust' your device to avoid extra security checks at login. Others do the 'trusting' without you realising.
Banks should still monitor your accounts for unusual activity and make regular security checks in case your device has been compromised, for example, Lloyds asks you to reconfirm trusted status when you use a new browser or clear your browser history.
Many providers now let you instantly 'distrust' or deregister a mobile phone, in case it is mislaid or stolen, though this still isn't offered by Lloyds Banking Group, NatWest, Santander, The Co-operative Bank, or TSB.
Chase also doesn't offer this feature but you can only log in to your Chase app via one registered device.
None of the banks tested currently let customers revoke trust for laptops or desktop computers.
What is Confirmation of Payee?
A name-checking system called Confirmation of Payee (CoP) prevents payments being made to the wrong bank accounts, and combat fraud.
It checks the name of the payee against the account details provided and alerts you if they don't match.
Not all banks offer it: while the six largest banking groups were forced to introduce this new system in 2020, others have been gradually introducing it.
Previously, all banks processed online transfers using the account details only and took no notice of the name entered.
This flaw causes misdirected payments if people accidentally enter the wrong digits and can be abused by criminals who impersonate trusted organisations to trick people into transferring money directly into accounts they control.
If CoP is in place, your bank checks if the full name matches the details held by the recipient's bank. If the name entered doesn't match - or only partially matches - the account details, you'll know something is wrong.
You can still choose to ignore these warnings and authorise the payment regardless, though banks make a point of stating that you do so at your own risk.
There are four possible CoP messages, though not all banks use identical wording:
Yes, exact match - the details match and you can proceed with the payment.
Partial or close match - some of the details are incorrect so look for spelling mistakes or typos.
No match - the details don't match so cancel the payment until you've made further checks
No name check - it has not been possible to check the name eg because the receiving bank doesn't offer CoP.
CoP checks payments using the Faster Payments system (including standing orders) and CHAPs (high-value payments), whether they are made online, via your mobile banking app or in a branch.
It doesn't apply to payments that are not in pounds sterling or BACS payments (including direct debits).
The most obvious benefit to CoP is that it significantly reduces the risk of you making a bank transfer to the wrong account.
Our most recent current account survey of the general public, in September 2020, found that 12% of people paid into the wrong account by accident in the past 12 months. We hope to see this figure drop when we ask again next year.
If your own bank or the receiving bank doesn't yet have CoP in place, be extra vigilant when adding payment details, particularly for large transfers.
Banks and building societies who offer Faster Payments must follow the credit payment recovery process if you do make a mistake, by contacting the receiving bank on your behalf within two days of you reporting the mistake.
As long as the recipient of the misdirected payment does not dispute your claim, you'll be refunded within 20 working days of notifying your bank.
However, there are no guarantees you'll recover the misdirected money - if the recipient claims the money is rightfully theirs, you should seek legal advice and may need to take court action against them.
It is hoped that CoP will also protect people from losing money to bank transfer fraud, also known as authorised push payment (APP) fraud.
A common tactic used by impersonation scammers is to trick victims into moving money to a 'safe' account. CoP can help 'break the spell' by highlighting when the name entered isn't as expected.
Fraudsters will try to convince targets to ignore these warnings, for example, by claiming that a business name is different because it's a related trading name, or they could set up a new business with a name that's deceptively similar to a legitimate one.
But banks will never ask you to disregard CoP warnings so it's important that customers take these messages seriously.
The payments regulator told the six biggest UK banking groups to implement CoP: Barclays, Lloyds Banking Group, NatWest Group (including RBS), Santander, HSBC (including First Direct) and Nationwide Building Society.
Monzo and Starling were the first banks to sign up for CoP voluntarily. Revolut, an e-money firm, started offering CoP checks in January 2021.
We expect banks to follow Starling's lead and reimburse any customers who lose money as a result of CoP failures.
How can you protect yourself against bank fraud?
Criminals are constantly inventing new ways to try to get their hands on your money.
Stay one step ahead by learning these seven ways to spot a scam and follow these ten tips to keep the cash in your bank account safe:
What to do if you're a victim of bank fraud
Check your account online regularly to spot any irregularities and contact your bank as soon as possible if you think you've been a victim of fraud.
Also contact Action Fraud on 0300 123 2040, or Police Scotland on 101.
Your bank is legally required to refund unauthorised transactions and restore your account to the state it would have been in had the transaction not be made unless it can prove that you've acted fraudulently or been grossly negligent.
They can't refuse to refund you based on a hunch – they must investigate properly – but banks don't always get this right.
If you're unhappy with the way your bank has dealt with your complaint, you can refer the matter to the Financial Ombudsman Service (FOS).