We have rated 15 of the biggest UK banks on the security of their online and mobile banking systems. How does your provider’s digital defences measure up?
With so much of our banking now done on our computers and smartphones, it’s important that those services are secure.
Every year, we rate the security of the online banking and mobile banking services from major banks and building societies who offer current accounts.
In our latest test, volunteers carried out a series of tasks, while a team of experts from cybersecurity firm 6point6 tested each bank’s defences.
The table below shows how 15 banks and building societies fared for the main factors we tested in September and October 2021. The percentage figures illustrate how important that area of security was to the overall test score.
All providers have processes that aren’t visible in the type of testing we carried out – we can only analyse security features available to the customer – but our tests compared banks on the following:
We looked at whether banks support outdated versions of ‘Transport Layer Security (TLS)’, where data is scrambled so that only you and your bank can read it – or whether they have weak ciphers (algorithms for encrypting and decrypting data).
We checked too if best-practice security headers are in place to protect against a wide range of attacks.
And we noted where scripts (programming language) were loaded from external sources. We prefer this to be kept to an absolute minimum because while banks have rigorous due-diligence processes, hackers might compromise third parties.
A bank’s mobile app needs to be able to detect whether it’s running in a safe environment or not. So we tested if apps block analysis tools such as ‘Frida’ – although these tools are useful to security researchers, hackers might also be able to use them to find vulnerabilities.
Banks were penalised if they didn’t meet the latest email security standards. These include DMARC, which stands for ‘domain-based message authentication, reporting and conformance’, and helps your email provider block malicious messages that attempt to imitate your bank.
We also searched for bank domains or subdomains (eg computing.which.co.uk is a subdomain of which.co.uk) that shouldn’t be accessible on the internet or that use outdated – and therefore potentially vulnerable – software.
We rated banks on the information they require for you to access accounts and how easy it is to recover usernames or passwords.
We checked whether they allow you to choose insecure passwords or if they prevent the use of password managers (these help you keep track of multiple passwords securely and avoid bad practices such as using weak/common passwords).
Setting up a new payee and editing account details should require additional checks to verify it’s really you making changes.
We want banks to send notifications when details are altered to alert you to a potential breach.
We marked them down if these messages included a phone number or web link, as scammers often replicate texts and emails to trick you into calling them or entering your details on a fake website.
You should only be able to log in to your bank from one computer at a time. Banks were penalised for poor ‘session management’ if they let us access accounts from multiple browsers or computer networks at the same time – this should be flagged as a potential attack.
We also marked banks down if they allow you to use the forward/back buttons on browsers without asking you to log in again.
What is Strong Customer Authentication?
Banks have been told to introduce a multi-layered approach to online banking login and online card payments, under new ‘strong customer authentication’ (SCA) regulations.
This involves multiple ID checks such as providing a password plus a single-use passcode generated on a card reader or sent via text message to your mobile phone.
SCA rules for online banking have been enforced since 14 March 2020 and from 14 March 2022 the regulator will enforce requirements for online card payments.
Why is SCA important?
Which? has long called for banks to require a second form of authentication when logging in.
It may seem heavy-handed to force customers to use a second device but passwords alone are not good enough.
Weak login details can be stolen, leaked, or easily gleaned from social media sites and if a hacker penetrated the first layer of defence, they would have access to sensitive details such as payment history and card numbers, which could make any subsequent scam attempts more convincing.
How do banks make SCA checks for banking?
What if I don’t have a mobile phone?
Should I tell my bank to ‘trust’ my device?
What is Confirmation of Payee?
New name-checking system called Confirmation of Payee (CoP) has been introduced to prevent payments being made to the wrong bank accounts, but not all banks have implemented this vital layer of security.
The six largest banking groups were forced to introduce this new system at the point of payment, by warning customers when the account name entered doesn’t match the account details.
Smaller banks aren’t required to introduce CoP at all though the likes of Monzo and Starling implement it voluntarily. CoP was originally expected in June 2019 but multiple delays meant this wasn’t introduced until 30 June 2020.
Which? wants all banks to sign up for CoP, not just the six largest banking groups, to prevent fraudsters from targeting banks that don’t offer it, and ensure consumers see consistency among all providers.
What messages will you see?
How does CoP prevent misdirected payments?
How does CoP prevent fraud?
Which banks and building societies offer CoP?
What if CoP fails to work?
Is mobile banking safe?
The biggest threat to banking security comes from using a compromised device. And this applies whether you’re using a computer or a smartphone.
Although phones are more easily lost or stolen, you can mitigate the risk by registering for Google ‘Find My Device’ and Apple ‘Find My iPhone’ so that it can be located, locked and even wiped of data remotely if it’s lost or stolen.
It’s difficult to plant a keylogger in an Android or iOS device (software used to track every key you press and potentially steal usernames and passwords).
But mobile banking isn’t risk-free – fakes can turn up in app stores and malware does exist that specifically targets mobile phones. Always download bank apps from the official app stores as these are vetted by Apple and Google, and keep your software updated as manufacturers and app developers will usually release software updates which contain security patches and new security features.
Make use of your bank’s security features too. Thanks to competition from innovative mobile-only banks Monzo and Starling, many high street banks have started to improve app security:
Smartphone users tend to keep their devices with them, so it’s a quick way to contact your bank if something goes wrong.
Instant card freezing, where you can temporarily block your card in-app without having to call or visit a branch, is now offered by all of the banks we tested except The Co-operative Bank, TSB and Virgin Money.
Freeze specific purchases
Real-time spending notifications
Phone scams – is it really your bank calling?
Telephone fraud, or vishing, is particularly sneaky. Fraudsters call up pretending to be the police or your bank’s fraud department and warn you that your account has been compromised to trick you into revealing your full password, or persuade you to move your money somewhere ‘safe’.
Some tell you to call the genuine number for your bank to ‘verify’ the call, then play a dialling tone while they stay on the line, before posing as your bank and conning you into giving them sensitive information.
They may use cheap software to make the call seem legitimate, for example, number spoofing software displays false caller-ID information to trick you into thinking that their number belongs to your bank or another legitimate business.
Criminals may also attempt to trick you into installing remote-access software (brand names include TeamViewer and LogMeIn) to ‘fix’ a spurious problem. This software is used by legitimate businesses – including the Which? Tech Support team and many IT support firms. But criminals abuse accounts to hack into email and bank accounts.
Call-blocking services and phones offer some respite from unwanted calls but the easiest way to stay safe is to hang up and call back on a phone number you trust such as the number your bank provides on the back of your debit card.
At least one in four unwanted calls to your home phone are thought to be from scammers. Stay one step ahead with our tips.
![Chart]()
Contacted out of the blue
Unsolicited calls should always be treated with caution. If you’re in any doubt, hang up, wait for a few minutes and call back on a number you trust.
No time to think
Professionals don’t pressure you into making a decision quickly, or create a sense of panic, telling you that your broadband will be disconnected or that your bank accounts are under threat.
Asked to share personal details
Your bank will never ask you to move money to a ‘safe’ account or share your full online banking password, four-digit card Pin or security codes, such as those generated on a card reader.
Asked to go to your computer
Never let someone access your computer, or other devices such as a phone or tablet, unless you know the caller and their intentions.
Asked to keep quiet
Any attempt to stop you talking about the call to someone you trust (a friend, family member or independent adviser) is a red flag. Seek support before making a decision.
How can you protect yourself against bank fraud?
Criminals are constantly inventing new ways to try to get their hands on your money.
Stay one step ahead by learning these seven ways to spot a scam and follow these ten tips to keep the cash in your bank account safe:
Treat unsolicited phone calls, letters, emails and texts with caution.
Fraudsters use pressure tactics to persuade you to share personal and financial details so don’t let anyone rush you and never share your Pin or online passwords (your bank will never ask for these in full).
2. Use a phone number you trust
If you’re in any doubt as to who’s calling, hang up. Make sure the line is clear, and then call the organisation on a phone number you trust, such as the one on the back of your payment card.
3. Use antivirus software and keep your devices up to date
Make sure your computer or laptop is protected with a good security program and antivirus software.
4. Create strong passwords
Keep all devices, apps and browsers up to date. Updates contain security patches for new vulnerabilities. It’s important not to carry on using an old device that’s not getting updates: Windows 7 won’t be getting any more updates after January 2020, for example, and you will be at risk if you carry on using this for online banking after this date.
If you have a wireless network at home, activate the security settings on your router to prevent others from accessing it. Avoid accessing your bank account from a public computer or unsecured wireless network.
If you do use a public computer, never leave it unattended and always log out properly when you’ve finished your banking session.
Avoid clicking links and downloading attachments from emails and texts.
Phishing emails are sent by criminals posing as genuine companies such as a bank or HMRC. Clicking on a link takes you to a fake website where fraudsters steal financial or personal details.
Or, the link might install malware on your computer as another means to capture details. Thieves can steal your password by tricking you into installing a program on your computer that secretly records your password when you type.
Look for a padlock symbol in or next to the address bar in your browser and that the web address changes from starting with ‘http’ to ‘https’.
This doesn’t guarantee a site can be trusted, but it does mean the website is encrypted, so no one else but that website can read any card details or passwords you enter.
Some sites have an extended validation (EV) certificate, shown as a padlock alongside the company name. Again, it’s not perfect, but it requires the company to undergo more rigorous checks.
8. Remove personal info from social media
Don’t leave your email address, date of birth, or phone number on sites such as Facebook and Twitter – it increases your risk of identity theft. Only accept friend requests from people you know.
Someone posing as an interesting person asking to become your friend may actually be an ID thief.
Check your privacy settings carefully and make sure only people you trust can view your profile.
Regularly check your bank account and credit card statements for suspicious transactions.
If you spot something unfamiliar, report it to your bank or card provider as soon as you can.
10. Use ATMs inside the bank
Try to shield your Pin in case there are cameras fitted by criminals above the keypad. Or, stick to in-branch machines, which are less likely to have been tampered with than one on the high street.
What to do if you’re a victim of bank fraud
Check your account online regularly to spot any irregularities and contact your bank as soon as possible if you think you’ve been a victim of fraud.
Also contact Action Fraud on 0300 123 2040.
Your bank is legally required to refund unauthorised transactions and restore your account to the state it would have been in had the transaction not be made unless it can prove that you’ve acted fraudulently or been grossly negligent.
They can’t refuse to refund you based on a hunch – they must investigate properly – but banks don’t always get this right. Which? Money has obtained exclusive data revealing the card providers handling fraud claims poorly.
If you’re unhappy with the way your bank has dealt with your complaint, you can refer the matter to the Financial Ombudsman Service (FOS).
Best and worst banks
How do I find the best bank?
Everybody’s banking needs are different. Some with a healthy balance may want to find an account that pays them interest, others are looking for one that doesn’t charge through the nose to use an overdraft.
At Which?, we think the way your bank or building society treats you should be an essential part of finding the best account.
So, we’ve done the hard work for you. Every year, we survey thousands of current account customers and ask them to rate the service they receive. This gives us the Which? Customer Score.
We then calculate the ‘product score’ of almost 40 current accounts to find our Which? Recommended Providers (WRPs) – the banks and building societies that offer great products and top-notch customer service.
Recommended Providers
These are the current account providers which have both satisfied customers and excellent products:
Starling Bank
Starling made a strong debut in our rankings in 2019, taking second place. It had top spot with a score of 88% in 2020 and again tops the table in 2021 with a score of 85%. Starling is therefore once more named a WRP.
Customers praised its ‘helpful’ and ‘prompt’ staff as well as its mobile app for being ‘easy to use’ and ‘leagues ahead’ of other banks’. Instant notifications of payments in and out, free debit card spending abroad, and ‘saving spaces’ (virtual piggy banks) are also popular.
Although it started life as a smartphone bank, Starling launched online banking for personal customers in October 2020.
The Starling debit card is fee-free for purchases and foreign ATM withdrawals anywhere in the world, making it the cheapest debit card to take abroad.
Customers can also apply for an additional Starling ‘Connected’ card which can be loaded with up to £200 and given to someone they trust – ideal if they are unable to leave the house but need some help with the shopping.
It also offers one of the cheapest overdrafts though only for customers with decent credit scores (it charges a rate of 15%, 25% or 35% EAR dependent on your credit score though even its highest rate beats the high street banks).
First Direct
First Direct is once again a WRP in 2021, with its score increasing to 82% from 79% the previous year.
The bank also received the highest score in a separate survey where we asked customers to rate financial brands’ level of service during the first four months of lockdown (87% rated it positively).
Nearly every aspect of its service was rated five stars by customers, including online banking, the mobile banking app, complaints-handling and overall customer service.
The only low rating was for account benefits (three stars). Its standard current account ‘1st account’ doesn’t offer any cashback or credit interest. But you do get a £250 interest-free overdraft (then 39.9% AER) and customers can open a Regular Saver paying 1% AER (was 2.75%) for a year.
First Direct shares deposit protection with HSBC so limit your deposits to £85,000 across the two brands.
Nationwide Building Society
After missing out last year, Nationwide regained its WRP status this year.
Five-star ratings were achieved for its customer service, as well as its telephone and online banking services.
Its FlexDirect current account pays 2% interest on £1,500 for a year (then pays 0.25%) and offers an interest-free overdraft for a year (then 39.9% APR). Its FlexPlus packaged account is also highly rated.
Nationwide is a building society or mutual, which means that it is owned by its members.
It’s the only WRP with a branch network, though First Direct customers can carry out some tasks at HSBC branches. Nationwide has a branch promise stipulating that if it currently has a branch in your town or city, it will still be there until at least January 2023.
Worst banks for customer satisfaction
Royal Bank of Scotland (RBS) is bottom of the table in 2021 with a score of 56%, down from 61% the previous year.
RBS recorded two-star ratings for transparency of charges and service in branch. Disgruntled customers referred to branch closures and a lack of ‘tangible benefits’. Others gave it an average rating and said it is ‘nothing special’, ‘doesn’t offer much’, or is ‘not as good as they can be’.
HSBC (57%) and TSB (59%) also scored less than 60% to form the bottom three banks along with RBS.
Accessible banking services
If you’re one of the 14.1 million people in the UK with a disability, your bank should make services as accessible as possible.
In May 2021, we surveyed 1,494 Which? Connect panel members and panel members of the Research Institute for Disabled Consumers about their current account providers. Our unique survey revealed that while some banks go above and beyond to help disabled customers, others are barely meeting minimum standards.
First Direct came out on top of our table, with 95% of disabled customers in our survey saying they’re fairly or very satisfied with the service. Nationwide came second (87%) and was the top-rated provider with a branch network. Despite being parent bank to First Direct, HSBC received the lowest score (62%), followed by TSB (65%).
Banks have a legal obligation under the Equality Act 2010 to make reasonable adjustments for disabled customers. You should never be asked to pay for these. Some simple steps can help make life easier for disabled customers – but which banks offer them?
