13 current account providers and their customer-facing security systems were tested by the consumer group between September and November 2022.
With the help of security experts at Red Maple Technologies, Which? scored the banks based on their login, navigation and logout processes.
The account providers were also tested on their account management and encryption for both their online banking security and app security.
Sam Richardson, Which? Money deputy editor, said: “Banks should not be leaving these open doors for scammers to exploit and must up their game to protect their customers properly.
“By making improvements, such as blocking weak passwords, banks can take an important step in preventing unscrupulous fraudsters from attempting to steal money and personal data from consumers.”
Virgin Money scores lowest of UK banks in online and app banking security
According to the Which? research, Virgin Money scored the lowest overall for online and app banking.
A spokesperson for Virgin Money said: “The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls.
“A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts.”
Scoring in the second lowest spot for its app, Which? also raised concerns over TSB.
A spokesperson for TSB said: “We continue to invest in our online and mobile services – and work with globally leading tech firms to deliver both security and accessibility to our customers.
“TSB also tracks well across the industry on fraud prevention and we are the only bank that protects its customers with a guarantee to return their money should they ever fall victim to fraud.”
Meanwhile, Nationwide Building Society was given the second-lowest score for online banking security.
A spokesperson for Nationwide said: “Nationwide takes the security of its members and their money very seriously.
“We are never complacent and conduct regular testing of our systems to ensure that we maintain an appropriate level of protection, whilst ensuring a positive user experience.
“We will take the points raised by Which? on board as we continue to evolve our digital services.”
On the other side of the scale, Starling Bank ranked highest for online banking security.
HSBC UK followed closely behind Starling for online banking, while its app had the highest score.
The banks included in the research also have behind-the-scenes systems that Which? and Red Maple Technologies were reportedly not able to test.
READ MORE: Parents warned as paedophiles target kids desperate for viral Prime energy drink
READ MORE: Warning to anyone who rents as scammers target Facebook and SpareRoom
The consumer champion has said it wants to see a change that would lock weak passwords.
Additionally, Which? has called for sensitive data not to be sent via text messages since these can be intercepted.
A UK Finance spokesperson said: “The banking and finance industry is committed to stopping fraud from happening in the first place, investing billions in advanced technology to protect customers.
“Our figures have shown that the number of recorded cases of unauthorised fraud has fallen year on year, with the first half of 2022 showing a fall of 7% to just under 1.4 million, and banks stopping £583.9 million of unauthorised fraudulent transactions.
“The industry continues to work closely with the Government and law enforcement to target the criminal gangs responsible and continue its efforts to prevent fraud to customers.”
Which? shares five tips for safer online banking
The consumer advice organisation has shared five tips to you bank safer online:
1. If you receive unexpected emails, texts, WhatsApp or any other type of messages, do not click on the hyperlinks they contain.
Criminals posing as your bank might try to steal sensitive data or trick you into sending money, going as far as creating fake websites to impersonate banks and other firms.
Do not download attachments or call phone numbers either.
If you need to get in touch with your bank, call on a trusted number, such as the one on your debit card.
2. Use up-to-date security software by downloading antivirus software on your computer, phone and any other devices you have.
It is also important to download and install the latest updates for the device itself.
Updates contain security patches for new vulnerabilities, so do not use an out-of-date device.
3. Protect your mobile phone by turning on phone auto-locks after a short period of inactivity in your settings.
While you are in there, disable lock screen notifications, to prevent criminals seeing incoming texts, which could include bank codes for accessing your account.
You can also add a Pin to your Sim card, to prevent it being accessed.
4. Check privacy settings on social media.
Remove any personal information such as your email, date of birth and phone number – all of which can be used by criminals to steal your identity or impersonate your bank.
Only accept friend requests from people you know.
5. Replace default passwords on your home router.
This will prevent others from accessing it. Also, avoid banking on unsecured wireless networks or public computers.
If you do use a public computer, never leave it unattended and always log out when you have finished.