Best UK banks for online and mobile security revealed

Security weaknesses at some UK banks could leave customers exposed to scammers, a new Which? investigation has found.

The consumer group tested banking website and app security across four key criteria — login procedures, security best practice, account management and navigation and logout — and these were then amalgamated to give a total score.

It was not able to test banks’ back-end security systems, but with the data gathered it was able to rate the best and worst firms for keeping customers safe.

This comes as more Brits are using mobile banking at record levels and as criminals view this as a gateway to people’s personal finances.

According to UK Finance’s most recent half-year fraud report, losses from mobile banking fraud rose 17% to £18.7m in the first six months of 2023 — the biggest recorded increase since it began collecting data on this fraud type in 2015. The number of cases shot up by 32% to 8,078, also the highest total recorded.

Read more: How to avoid tax creep in retirement

Which? said on Wednesday that while all firms do use multi-layered security, which helps reduce the likelihood of major security breaches, some firms fell short of the high standards customers should expect.

At the top of the pile for online security were Starling and NatWest/RBS (NWG.L), with both posting a total score of 87%. While both firms scored four stars for login security online, they both posted a full five stars for security best practices, account management and navigation.

The best-performing bank for mobile app security was HSBC (HSBA.L), with a total score of 78%. HSBC posted solid scores for its app and website and, unlike many of its high street rivals, it does not rely on SMS for login. Researchers also found no issues with logout or navigation.

Meanwhile, Barclays (BARC.L) finished second in the mobile app rankings, with a score of 74%. However, it is still yet to fix the website management issues Which? identified last year, including letting users access accounts from multiple browsers, IP addresses or devices at the same time.

Read more: 5 ways to get help with childcare costs

On the opposite end of the scale, TSB scored 54% for its mobile app security and 67% for its online security, the lowest and second-lowest scores, respectively. The firm was the only one to score just two stars for online account management and two stars for security best practices for its app.

The most serious problem the security best practice tests discovered was a ‘medium-risk’ issue on the TSB app. Its improper handling of sensitive data meant that it could be read by other apps running on the phone. The app stores users’ credentials in an insecure manner, making it more likely that other apps could access them.

Watch: What is a recession and how do we spot one?

TSB told Which? that the matter was under review and a fix would be ‘considered in the future’. However, given the level of risk here, Which? would expect a stronger response.

Researchers also uncovered encryption issues with outdated versions of third-party libraries – the library of computer code used by apps and websites – and a weakness related to support for devices running Android 8.0 and below, while TSB also specifically asks users to ‘trust’ a device but then offers no way to ‘distrust’ it afterwards.

The bank also sent a phone number in an SMS alert, which could be replicated by scammers. TSB said: "We have removed phone numbers from the vast majority of SMS alerts with this alert being the final in the plan for updating to remove the phone number."

Which? also uncovered problems with The Co-operative Bank’s security measures. The bank came bottom of the online security table, with a score of just 61%. It got three stars for account management and navigation.

Read more: Best savings accounts offering above inflation rates

Lloyds (LLOY.L) was the only bank that failed to log out website users after five minutes of inactivity, despite this being a regulatory requirement. The bank told Which? that this makes things easier for vulnerable customers.

“With many people increasingly banking online or on their phones, it’s crucial that the banks we trust with our money have security protections that are up to scratch," Sam Richardson, deputy editor of Which? Money, said.

“While our investigation found no major security issues, there were some areas of concern that we think the banks in question need to urgently address so that sophisticated scammers can’t use loopholes to target innocent victims.

“With fraudsters still relentless in their pursuit of our money and a general election looming, the next government must make fighting fraud a national priority, with a fraud minister installed to work across multiple government departments.”

Watch: How does inflation affect interest rates?

Download the Yahoo Finance app, available for Apple and Android.