Banks exposing customers to fraud risk through online security flaws, Which? reveals

Which? has uncovered worrying flaws in online banking security systems that could leave customers exposed to fraud, with some banks failing to use the latest protections for their websites and allowing users to set insecure passwords.

With cases of internet banking fraud up 97 per cent in the first half of 2021, the consumer champion is concerned too many banks are still neglecting important security protections.

Which? conducted an investigation with independent security experts 6point6, testing the online and mobile app security of the 15 largest current account providers on a range of criteria including encryption and protection, login, and account management and navigation.

Metro Bank received the lowest score for online security in Which?’s testing, with an overall score of just 53 per cent. It was joined in the bottom three by Virgin Money (56%) and TSB (59%).

Banks must now carry out extra checks to verify customer identity as passwords can be easily guessed or stolen, but Which? found security flaws at several banks during the login process.

Triodos Bank allows customers to set insecure security words, including ‘password’, ‘1234567’ and ‘admin’. The risk is mitigated by a two-factor authentication at login (using its physical ‘Digipass’ device) but there is no excuse for a bank to allow such weak credentials.

Six banks (HSBC, NatWest, Santander, Starling, The Co-operative Bank, and Virgin Money) let you choose passwords that include your first name and/or surname. Santander told Which? this is being phased out and NatWest and Virgin Money said they might increase password limitations after the investigation.

TSB, Lloyds, Metro, Nationwide, Santander and The Co-operative Bank also all still use SMS texts to verify you when you log in, leaving messages at risk of being hijacked by cybercriminals. Santander and The Co-operative Bank told Which? that they are looking to move away from SMS.

Which? identified potential weaknesses in subdomains of Metro Bank’s website which could allow hackers to compromise the server. Testers found similar issues with First Direct and Lloyds. First Direct addressed the vulnerability as soon as Which? reported it and Lloyds said its subdomain was in the process of being decommissioned and ‘poses no security risk’.

Testers also found two security headers missing from Metro Bank’s website. These are important as they protect against a range of cyberattacks by telling your browser how to behave when it communicates with the website.

Which? found that Nationwide, TSB and Virgin Money were failing to use software that ensures spoof messages sent by potential scammers are blocked or quarantined by your email provider. TSB told Which? it has since introduced this protection. Virgin Money said this is in the works. Nationwide said it operates ‘a range of email security controls’ to protect members.

At the other end of the table HSBC came out on top, with a score of 81 per cent. It was the only bank to score five stars for both website encryption and account management. It was rated A+ for cipher strength because it supports the latest encryption standards.

Which? also asked 6point6 to test each provider’s banking app to identify potential flaws. Monzo was the lowest-scoring app it tested by some margin. It is the only provider that does not ask you to log in every time. It said this is a ‘conscious design decision to strike a balance between risk and customer experience’.

Lloyds, Nationwide, Santander, and TSB dropped points because online and mobile banking require the same login credentials – Which? would prefer banks to ask for app-specific passcodes.

While online banking is a largely safe way to manage money, scammers are upping their game and the industry needs to keep pace.

That is why Which? is calling for banks to work much harder to upgrade online security so they are providing high levels of protection for customers.

If a fraudster does breach your bank’s defences and you lost money as a result, you have a legal right to a refund from your bank – unless it can demonstrate that you were ‘grossly negligent’ – in other words, unusually careless with your security details.

Jenny Ross, Which? Money Editor, said:

“Banks must lead the battle against fraud, yet our security tests have revealed worrying flaws when it comes to keeping people safe from the threat of having their account compromised.

“Our research reinforces the need for banks to up their game on tackling fraud by using the latest protections for their websites and not allowing customers to set insecure passwords. We also want banks to stop sending sensitive data to customers via SMS texts as this could leave the door open to fraudsters.”

Notes to eds


Which? worked with independent security experts 6point6 to rate the largest current-account providers on four main criteria: encryption and protection, login, account management and navigation.

Every bank and building society has behind-the-scenes security processes – it isn’t possible for Which? to test these legally. For more information on Which?’s testing visit (Please note this guide will be updated on Tuesday, 11th January)

Results table

Advice to protect yourself

1. Don’t click links or call phone numbers included in unexpected emails and texts. Contact your bank directly using known contact details.

2. Use up-to-date security software, including antivirus, on any device you use for banking.

3. Activate security on your home router to prevent others from accessing it and avoid accessing your account from a public computer or unsecured wireless network.

4. If you do use a public computer, never leave it unattended and always log out when you’ve finished your banking session.

5. Check your privacy settings on social media platforms such as Facebook and Twitter. Remove personal info such as email, date of birth and phone number as this increases your risk of identity theft.

6. Scan your statements for suspicious transactions and report anything unfamiliar to your bank.

Right of replies

A Barclays spokesperson said: “We have no greater priority than keeping our customers’ funds and personal data safe and as more of us bank digitally, it’s crucial that the public can trust their online and mobile banking. This is why we continue to work tirelessly to ensure the Barclays App and online banking are secure from the threat of fraudsters.”

A Co-operative Bank spokesperson said: “We continually review the controls we have in place to maintain secure banking for our customers, supported by a programme of continuous improvement to enhance our processes and maximise the protection of our digital services in line with technological advancements.”

A HSBC Group spokesperson said: “HSBC and First Direct are committed to protecting customers’ finances and personal data. We deploy advanced cybersecurity controls and identify and respond to threats in a timely manner to ensure a seamless customer experience. We take on board customer feedback and are constantly reviewing and enhancing security measures.”

A Lloyds Banking Group spokesperson said: “Keeping our customers’ money and data safe is our priority and we have robust, multi-layered security across online and mobile banking services to protect against cyber security threats. We employ world-class experts in the cyber-security field, who work to deliver the right balance of online security measures, customer experience and accessibility. We continuously evolve and invest in our safeguards and have fully decommissioned the legacy Lloyds Bank sub-domain referenced.”

A Metro Bank spokesperson said: “Like all financial institutions we need to remain vigilant to protect our systems and security. In addition, we work with other banks collectively to help guard against fraud. We take our customers’ security extremely seriously and have a range of safeguards in place across all channels to help defend them against fraud. As well as the controls which are visible, we have controls in the background which support our customer journeys and provide invisible protection. We are continually evaluating and evolving our controls to prevent fraud.”

A Monzo spokesperson said: “We strongly disagree with this assessment. Given every sensitive action or payment requires a customer to provide extra authentication in the form of a PIN or biometrics, the risk associated with remaining logged into the Monzo app is extremely low. We take security incredibly seriously and focus on policies and practices that we consider to be safest for Monzo customers.”

A Nationwide spokesperson said: “Security is of paramount importance to Nationwide, and we must balance this with ensuring we are delivering the best user experience when members use our digital services. We employ round the clock defences to monitor our systems and look out for suspicious activity, and we continue to invest in our services to ensure we continue to protect our members and their money.”

A NatWest Group spokesperson said: “Security continues to be a high priority for NatWest Group to keep our customers and the bank safe. We continue to invest in our digital security capabilities, leveraging market leading technologies – for example, multi-factor authentication and our work on biometrics – to deliver simple and secure banking services for our customers.”

A Santander spokesperson said: “Security is a top priority for all at Santander and we continue to invest a great deal in keeping our customers safe.”

A Starling Bank spokesperson said: “Unlike the incumbent banks, which require customers to use hardware security tokens to make a payment, we have built the same security technology into our app and systems, to give customers an easy to use, secure, seamless experience.”

Gareth Griffiths, head of retail banking at Triodos Bank UK, said: “We take our responsibility to ensure that our customers are protected against the many different current fraud and security threats very seriously. Since Which? undertook this analysis we have rectified the error in automatic log out on our online banking and – while we already have Confirmation of Payee set up for inbound payments – it will also be functional for our customers’ outbound payments very shortly. While our focus as a bank is on sustainability and ethics, we are also committed to providing a great customer experience and offering award-winning customer service.”

A TSB spokesperson said: “We continue to invest in strengthening online and mobile protection for customers and have introduced a number of features recently which aren’t captured in these results. Additionally, TSB tracks well across the industry on fraud with lower than average fraud losses. In contrast to the wider industry, we are the only bank that offers a guarantee to refund our customers should they ever fall victim to bank fraud.”

A Virgin Money spokesperson said: “The safety and security of our banking services is our top priority and we are continually monitoring, assessing and improving our security controls.”

About Which?

Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful.

The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at

Press Release: , , ,