Which banks have the best online and app security?

Which? reveals the most secure homes for your money, whether you bank online or via an app
Chiara Cavaglieri

Banks should deliver the very highest standards in cybersecurity but we've found some providers are being left behind. 

With help from a team of independent security experts at Red Maple Technologies, we looked for potential holes in the defences of 13 current account providers, to rate their online and mobile banking security. 

Hacking into a bank account is no mean feat. Although millions of us bank online, just 29,102 cases of remote banking fraud were recorded in the first six months of last year, which includes victims tricked into handing over login details.

However, our investigation found several banks missing basic online and app protections. Read on to see which banks excelled and which caused us concerns.

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

How did we test banks' defences?

Although all banks and building societies have behind-the-scenes systems that we couldn’t test, we assessed their online and mobile banking security across four key categories: login; encryption; account management; and navigation and logout.

Banks were marked down for not adequately blocking weak passwords and falling back on SMS-based security, which is vulnerable to Sim-swap attacks. Nationwide, NatWest, Santander, The Co-operative Bank and TSB all dropped points in this year's analysis for using SMS to verify customers at login. 

We delved into the software used by banks and tested if they have best-practice security headers that help keep your web browser secure and block threats such as clickjacking

We looked at whether bank websites and apps support outdated versions of Transport Layer Security (TLS) or use weak ciphersAnd we searched for website domains or subdomains that shouldn’t be accessible on the internet or that use outdated software, as this can potentially allow attackers to exploit unsolved security issues.

Top-rated banks

Starling: Online 82%, App 80%

Starling came out top for online banking, although its (also high-scoring) mobile app is key to security ⁠– it's used to authorise online logins and provides instant alerts of any sensitive activity. 

Account changes can only be made from a device that has been through stringent checks and requires a ‘selfie video’ that matches your existing identification videos and documents, although we would prefer Starling to send notifications when email addresses and phone numbers are changed. 

You can ‘untrust’ devices via Starling’s app at any time. The bank told us it uses industry-standard methods to detect rooted (ie more vulnerable) devices, but we were able to bypass these protections in our test. 

We also think the passcode should be longer, as it’s only four digits, whereas many banks require at least six. And while Starling does check for common passwords, it didn’t stop us using a pattern or sequence of numbers.

Starling is also a Which? Recommended Provider of current accounts.

HSBC: Online 80%, App 82%

Our top scorer for online banking security last year, HSBC has performed excellently again this year. 

Unlike its subsidiary, First Direct, HSBC has ditched weak security questions for recovering login data, and you no longer need a password to log in to the website. Instead, you have a username and an OTP generated via the Secure Key device on the HSBC app. 

HSBC supports the latest encryption standards for both its app and website although, like First Direct, it's missing the content security policy header. Red Maple also highlighted an insecure HSBC Student website and two web applications that shouldn’t be exposed online.

Which? Money Podcast

Join us on our weekly audio show for the latest money news and personal finance hacks to help make you better off.

Listen now

Bottom-rated banks

TSB: Online 66%, App 57%

We had several concerns when it came to TSB. It still asks basic security questions, such as ‘name your favourite food’, to recover login details. 

TSB also failed to block insecure passwords and only requires six characters – banks should encourage longer phrases. 

Red Maple found a potentially vulnerable subdomain (the bank said this will be removed in 2023) and two outdated web applications. TSB told us it uses industry-standard software to detect analysis tools, but its app didn’t exit – a requirement to get a top score – when we used ours. 

It also lost points for using SMS-based security, not sending alerts when sensitive account changes were made and including phone numbers in new-payee notifications. 

TSB is also reviewing alerts and password complexity as part of its digital strategy. Following our research, it removed phone numbers from all SMS alerts, except for one which is due to be removed this month. 

A spokesperson for TSB, said: 'We continue to invest in our online and mobile services – and work with globally-leading tech firms to deliver both security and accessibility to our customers.  TSB also tracks well across the industry on fraud prevention and we are the only bank that protects its customers with a guarantee to return their money should they ever fall victim to fraud.'

Virgin Money: Online 52%, App 54%

Virgin Money got the lowest scores for online and app banking. 

Red Maple found six outdated web applications (the bank noted minor vulnerabilities on three and said these will be corrected), an exposed IP address – which is under review – and a subdomain using a outdated version of TLS (we were told this should be addressed in early 2023).

The app didn’t appear to detect our analysis tool or a rooted phone, although the bank said it uses internal controls to protect customers. 

We want it to block insecure passwords and remove phone numbers in notifications; Virgin Money said both are an ‘agreed position that balances security with customer experience’. 

Unusually, there were no security checks to pay someone new, change an email address or edit the details of a payee, though it does send notifications for changes to personal details and passwords.

A spokesperson for Virgin Money said: ‘The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls. A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts.’

key information

Jargon buster  

Ciphers Instructions for encrypting and decrypting data. 

Clickjacking When a user is tricked into clicking on unseen parts of a webpage. 

Domain/subdomain Different parts of a website. For example, computing.which.co.uk is a subdomain of the which.co.uk domain. 

IP address Used to identify computers when connected to a network or the internet.

Multi-factor authentication (MFA) Identity checks using at least two of three factors: ‘inherence’ (eg fingerprint, face or voice recognition); ‘possession’ (a device that you own); or ‘knowledge’ (your passwords, Pin, etc). 

One-time passcode (OTP) Unique, temporary security code, often generated by a physical device such as a card reader or mobile app. 

Security headers These protect against a range of cyberattacks by telling your browser how to behave when it communicates with the website. 

Transport Layer Security (TLS) This is a digital stamp of approval that assures communication is scrambled so only you and your bank can read it.

Five tips to help you bank safely online

Banks need to address vulnerabilities in their security – but their greatest vulnerability could be you.

Here's how you can stop criminals in their tracks:

1. Don't click on links

If you receive unexpected emails, texts, WhatsApp or any other type of message, don't click on the hyperlinks they contain.

Criminals posing as your bank might try to steal sensitive data or trick you into sending money, going as far as creating fake websites to impersonate banks and other firms.

Don't download attachments or call phone numbers either. If you need to get in touch with your bank, call it on a trusted number, such as the one on your debit card.

2. Use up-to-date security software

This means downloading antivirus software on your computer, phone and any other devices you have.

It's also important to download and install the latest updates for the device itself. Updates contain security patches for new vulnerabilities, so don't use an out-of-date device.

3. Protect your mobile

Go into the settings to ensure your phone auto-locks after a short period of inactivity.

While you're in there, disable lock screen notifications, to prevent criminals seeing incoming texts, which could include bank codes for accessing your account.

You can also add a Pin to your Sim card, to prevent it being accessed.

4. Check your privacy settings on social media

Remove any personal information such as your email, date of birth and phone number – all of which can be used by criminals to steal your identity or impersonate your bank.

Only accept friend requests from people you know.

5. Replace default passwords on your home router

This will prevent anyone else accessing it. You should also avoid banking on unsecured wireless networks or public computers.

If you do use a public computer, never leave it unattended and always log out when you're finished.

More on this

Related articles

More on this

Related articles