Internet and mobile banking security rated

Because we perform such a significant portion of our banking on our computers and mobile devices these days, it is essential that these services be safe to use.

Every year, we evaluate the level of safety offered by the online and mobile banking services provided by the major financial institutions and building societies that are in the market for current accounts.

During our most recent test, we had a group of volunteers complete a series of tasks, and at the same time, a team of cybersecurity specialists from the company 6point6 examined each bank’s defences.

The results of our comparisons of 15 banks and building societies based on the most important criteria are shown in the following table and may be found below. The percentages give an indication of how significant that particular aspect of security was to the total score of the exam.

How do we conduct tests to ensure the safety of online banking?

In spite of the fact that all service providers have processes that aren’t apparent in the sort of testing that we carried out – we can only evaluate the security elements that are accessible to the user – our tests compared banks based on the following factors:


We investigated whether or not financial institutions support obsolete versions of ‘Transport Layer Security (TLS),’ which scrambles data so that only you and your bank are able to read it; alternatively, we investigated whether or not financial institutions have insufficiently secure cyphers (algorithms for encrypting and decrypting data).

We also tested to see if the recommended security headers had been implemented, which would defend against a wide variety of different attacks.

In addition, we made a record of the locations from which scripts (a type of computer language) were loaded. We would prefer that this be kept to an absolute minimum since, even though banks have stringent due diligence processes, hackers could potentially compromise third parties.

The mobile application that a bank uses must have the capability to determine whether or not it is operating in a secure setting. As a result, we examined whether applications are capable of obstructing analytic tools such as Frida. These tools are helpful to security researchers; but, hackers may potentially be able to use them to discover vulnerabilities.

If a financial institution failed to fulfil the most recent criteria for email security, they were punished. Among these is DMARC, which helps your email provider stop malicious communications that attempt to spoof your bank. DMARC stands for “domain-based message authentication, reporting, and conformance,” and its full name is Domain-Based Message Authentication, Reporting, and Conformance.

In addition, we searched for bank domains and subdomains (for instance, is a subdomain of that either shouldn’t be available on the internet or make use of obsolete software, both of which can leave a system open to potential security risks.


We ranked the banks based on the information you need to access your account and how simple it is to retrieve your login or password if you forget either one.

We investigated whether or not you are permitted to select passwords that are not secure and whether or not you are prevented from using password managers. Password managers are tools that enable users to safely manage multiple passwords and steer clear of risky behaviours such as the employment of weak or generic passwords.

Simply using passwords is not sufficient protection. We gave the highest possible score to financial institutions that required consumers to log in to their accounts using either a card reader or the mobile banking application provided by the institution. Although many companies employ short message service (SMS) to provide clients with a one-time passcode, we consider this method to be the least secure because thieves are becoming more adept at reading these messages.

Management of customer accounts

Adding a new payee and making changes to your account information should both be subject to additional verification steps to ensure that the changes are being made by you, the account holder.

We want financial institutions to notify you if there is a change made to your account details so that you are aware of any potential security risks.

Because con artists frequently copy texts and emails in an effort to mislead you into contacting them or entering your information on a bogus website, we deducted points from their totals whenever these messages contained a phone number or a web link.

If banks never included numbers or URLs in their correspondence, it would be far simpler to recognise fraudulent schemes when they occurred.

Navigation and exiting the account

It is only appropriate that you be able to log in to your bank account from a single device at a time. If a bank allowed us to access our accounts simultaneously from several browsers or computer networks, they were penalised for inadequate “session management.” This is something that should be highlighted as a potential attack and should be avoided.

The ability to use the forward and back buttons on browsers without being prompted to log in again was another factor that we considered while ranking financial institutions.

In our test, not all banks logged you out after five minutes of inactivity, despite the fact that this is the standard practise.

In addition to this, we want them to make it possible to log out with a single click rather than first requiring you to confirm your choice. Even if requesting confirmation is in accordance with the recommendations of the industry, we believe that it is more prudent to immediately end the session.

Authentication of Strong Customers entails What Exactly?

In accordance with the new “strong customer authentication” (SCA) laws, financial institutions have been instructed to use a multi-layered strategy for logging into online banking and making online card payments.

This requires the completion of various identification checks, such as supplying a password and a one-time passcode that was either produced on a card reader or delivered to your mobile phone through text message.

Since 14 March 2020, the SCA has been enforcing its rules about online banking, and beginning 14 March 2022, the agency will begin enforcing its standards regarding online card payments.

Why is it necessary to use SCA?

We has advocated for some time now for banks to demand a second form of verification whenever a customer logs in.

Customers should be forced to utilise a second device even if it would appear to be overly restrictive, as passwords alone are not sufficient security.

If a hacker were to break the initial layer of defence, they would have access to important facts such as payment history and card numbers, which may make any following fraud efforts more believable. Weak login details can be stolen, leaked, or easily gathered from social media sites.

What exactly does “Confirmation of Payee” entail?

Although a new name-checking mechanism known as Confirmation of Payee (CoP) was created with the intention of preventing payments from being sent to the incorrect bank accounts, not all banks have yet adopted this essential additional layer of security.

At the point of payment, the six main banking organisations were compelled to use this new system, which alerts customers when the account name supplied does not match the account facts.

Even while there is no requirement for smaller banks to implement CoP at all, some of them, including Monzo and Starling, have chosen to implement it freely.

It was initially anticipated that CoP would be deployed in June 2019, however due to several delays, this didn’t happen until June 30, 2020.

We want all banks to join up for the CoP, not just the six largest banking groups, to prevent fraudsters from targeting banks that don’t provide it and to guarantee that customers see consistency across all providers. The six largest banking groups are already participating in the CoP.

Is mobile banking safe?