Bank security flaws put consumers at risk from fraud, Which? finds

Basic security flaws on some of the biggest banks’ websites and apps are putting consumers at increased risk of falling victim to fraud, Which? research has found.

The consumer champion’s tests found several banks were missing basic online and app protections.

The research comes after 29,102 cases of remote banking fraud were reported to industry body UK Finance in the first half of 2022. This involves unscrupulous scammers gaining access to consumers’ bank accounts via their internet, telephone or mobile banking and making an unauthorised transfer of money from the account.

Which? tested the customer-facing security systems of 13 current account providers from September to November 2022, with help from independent security experts at Red Maple Technologies. The banks were scored across four key categories – login, navigation and logout, account management and encryption – for both their online banking security and app security.

Among other issues, banks were marked down for not adequately blocking weak passwords, sending one-time passcodes or other sensitive information via text messages, which is the least secure approach, and failing to log customers out after five minutes of inactivity.

They also lost points for allowing access to accounts from multiple web browsers or IP addresses at the same time, without flagging this as a potential cyber attack, and for sending customers notifications that include a phone number or web link. The latter can be a gift to scammers who often replicate texts and emails to trick people into calling them or entering their details on a fake website.

Virgin Money got the lowest total scores for online (52%) and app (54%) banking. Virgin Money’s poorest scores for online banking were in the navigation and logout and account management categories – it got two stars out of five for both. It also scored just two stars for the encryption on its app.

Red Maple Technologies found six outdated Virgin Money web applications which had potential vulnerabilities. The bank noted minor vulnerabilities on three and said these will be corrected. Virgin Money did not adequately block insecure passwords and remove phone numbers from notifications. Worryingly, there were no security checks to pay someone new, change an email address or edit the details of a payee. Which? also found issues with website session management, though the bank said it plans to improve this in early 2023, following Which?’s tests.

Which? had several concerns when it came to TSB, which scored 57% for its app, the second lowest, but got a slightly higher score of 66% for its online offering. It still asks basic security questions such as ‘name your favourite food’ to recover login details. It also failed to block insecure passwords and only requires six characters – banks should encourage much longer passwords. Red Maple Technologies found a potentially vulnerable subdomain, which TSB said will be removed in 2023, and two outdated web applications.

TSB also lost points for using SMS-based security, not sending alerts when sensitive account changes were made and including phone numbers in new-payee notifications. TSB said it is reviewing alerts and password complexity as part of its digital strategy. The bank told Which? that it has now removed phone numbers from all SMS alerts, except for one which is due to be removed in February.

Starling came out top for online banking security (82%), although its high-scoring app (80%) is also key to security – it is used to authorise online logins and instant alerts of any sensitive activity. Starling scored five stars in almost every category.

Which?’s top scorer for online banking security last year, HSBC, performed well once again this year – it followed closely behind Starling with a score of 80% for online banking while its app had the highest score of 82%.

While Which? found fewer issues with Nationwide’s app security (67%), it had the second lowest score for online banking security at 63%. Which? thinks it should notify users of sensitive changes to contact details, password changes and new payees – although Nationwide said it is looking to offer this in the future.

The banks included in the research also have behind-the-scenes systems that Which? and Red Maple Technologies were not able to test.

Which? believes the banking industry must improve its cyber defences against scammers, who are becoming increasingly sophisticated in their methods.

The consumer champion wants improvements that would see weak passwords blocked and also believes that sensitive data should not be sent via SMS text messages as these can be intercepted.

If the worst happens and consumers do fall victim to remote banking fraud, in many cases they will be entitled to a refund from their bank.

Sam Richardson, Which? Money Deputy Editor, said:

“Banks should not be leaving these open doors for scammers to exploit and must up their game to protect their customers properly.

“By making improvements, such as blocking weak passwords, banks can take an important step in preventing unscrupulous fraudsters from attempting to steal money and personal data from consumers.”


Notes to editors

  • The full table of results for online and app banking security can be found here.

  • Which? rated banks across four categories. Login (30%), encryption (30%), account management (25%), navigation and logout (15%).

Five tips to help you bank safely online

Here’s how consumers can help stop criminals in their tracks:

1. Don’t click on links

If you receive unexpected emails, texts, WhatsApp or any other type of message, don’t click on the hyperlinks they contain.

Criminals posing as your bank might try to steal sensitive data or trick you into sending money, going as far as creating fake websites to impersonate banks and other firms.

Don’t download attachments or call phone numbers either. If you need to get in touch with your bank, call it on a trusted number, such as the one on your debit card.

2. Use up-to-date security software

This means downloading antivirus software on your computer, phone and any other devices you have.

It’s also important to download and install the latest updates for the device itself. Updates contain security patches for new vulnerabilities, so don’t use an out-of-date device.

3. Protect your mobile

Go into the settings to ensure your phone auto-locks after a short period of inactivity.

While you’re in there, disable lock screen notifications, to prevent criminals seeing incoming texts, which could include bank codes for accessing your account.

You can also add a Pin to your Sim card, to prevent it being accessed.

4. Check your privacy settings on social media

Remove any personal information such as your email, date of birth and phone number – all of which can be used by criminals to steal your identity or impersonate your bank.

Only accept friend requests from people you know.

5. Replace default passwords on your home router

This will prevent anyone else accessing it. You should also avoid banking on unsecured wireless networks or public computers.

If you do use a public computer, never leave it unattended and always log out when you’re finished.

Right of replies

A spokesperson for Nationwide said: ‘Nationwide takes the security of its members and their money very seriously. We are never complacent and conduct regular testing of our systems to ensure that we maintain an appropriate level of protection, whilst ensuring a positive user experience. We will take the points raised by Which? on board as we continue to evolve our digital services.’

A spokesperson for TSB said: ‘We continue to invest in our online and mobile services – and work with globally-leading tech firms to deliver both security and accessibility to our customers. TSB also tracks well across the industry on fraud prevention and we are the only bank that protects its customers with a guarantee to return their money should they ever fall victim to fraud.’

A spokesperson for Virgin Money said: ‘The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls. A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts.’

About Which?

Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful.

The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at

Press Release