Consumer champion Which? and Red Maple Technologies, a security firm, tested the customer-facing security systems of 13 bank account providers at the end of last year. Banks were assessed based on the login, navigation and logout, account management and encryption, across both their online banking and apps.

The worst banks for customer security

Virgin Money was the worst performer, scoring just 52% for its online banking and 54% for its app banking. It scored two stars out of five for navigation and logout, as well as account management, for online banking, with the same score for the encryption on its app.

The study found six web applications used by Virgin Money which were outdated and so were potentially vulnerable to scammers. The study found that the bank did not adequately block insecure passwords or remove phone numbers from notifications, while there were also no security checks should you want to pay someone new, change an email address or adapt the details of a payee.

The Which? study uncovered similar issues with TSB, which scored just 57% for its app and 66% for its online banking. It was criticised for asking basic security questions to recover login details, as well as its inability to block insecure and short passwords. It was also found to be using two outdated web applications.

TSB was also scored down for using SMS-based security, for failing to send alerts when sensitive changes to accounts were made, and for including phone numbers in its notifications around new payees. The bank told Which? it is reviewing its alerts and password complexity.

The best banks for customer security

At the other end of the scale, Starling came top for online banking security at 82%, while its app scored 80%. The bank scored the full five stars in almost every category in the Which? study.

It was followed by HSBC, which was the top scorer for online banking security last year. It scored 80% for online banking, while its app was the best in the study with a score of 82%.

Banks must ‘raise their game’

Which? argued that the banking industry needs to do a better job in boosting its cyber defences against scammers, who it suggested are becoming increasingly sophisticated. It noted that such criminals are having a successful time of things at the moment, with a whopping 29,102 cases of remote banking fraud reported to UK Finance in the first half of last year. The majority of Brits reported seeing an increase in scam attempts over the last six months of 2022 as well.

It called for further measures like blocking weak passwords and removing sending sensitive data through SMS text messages since they can be intercepted.

Sam Richardson, deputy editor of Which? Money, called on banks to remove these “open doors” which scammers can exploit, and up their game in order to properly protect their customers.

He added: “By making improvements, such as blocking weak passwords, banks can take an important step in preventing unscrupulous fraudsters from attempting to steal money and personal data from consumers.”

There have been warnings that new rules around refunds for scam victims could see a quarter miss out on getting their money back.