Some of our biggest banks are not doing enough to prevent online fraud, new research by Which? claims.

It asked volunteers with current accounts at 11 banks to carry out a series of online banking tasks and enlisted the help of security experts from SureCloud to rate the safeguards used for each.

Banks were tested on online security features including logging in through a browser, adding a new payee and transferring money, password complexity requirements, the security of the connection, navigation and the logout process.

Which? found that, while all banks were broadly secure, only five – First Direct, HSBC, Barclays, M&S Bank and Nationwide – had two-factor authentication set up for online login into accounts.

This is a major security feature that can safeguard customers from scams.

'Major security flaw'

Two-factor authentication combines two types of ID checks – usually something you know, like a password or Pin, and something you have on you, like a device that generates a one-time passcode.

Lloyds Bank, Halifax/Bank of Scotland, NatWest/RBS, Metro Bank, Santander and TSB were found not to have this extra layer of security in place – despite having the technology to do so.

Online security is a vital weapon in the fight against fraud. In 2014/15 financial losses through online fraud totalled £133.5 million soaring 64% compared to the year before.

Fraudsters that are able to hack into the first level of security at login can access sensitive financial details, which they may be able to use to convince customers they are talking to their bank.

Alex Neill, managing director of home and legal services at Which?, said: “The best banks in our test manage to use two-factor authentication without it being too onerous for their customers, so there’s no excuse for others to sacrifice security.

“Online banking is increasingly part of our daily lives and at the same time online scams are becoming more sophisticated.

"People can only do so much to protect themselves from fraud, it's time for banks to shoulder more of the responsibility and introduce extra protections to safeguard their customers.”  

[Related story: Where to earn most interest following current account cuts]

The best and worst banks for online security

Which? ranked the online security at the major high street banks based on a scoring system for each of the online security tests. The results are below.

First Direct was found to offer the most secure online banking experience, achieving a score of 78% in the Which? investigation.

HSBC, Barclays, M&S Bank and Nationwide also scored above 70% for their security measures for online banking.

TSB was the worst bank for online security with a score of 56%.

The bank responded to the findings by suggesting more security measures were in place behind the scenes.

A spokesperson said: “Customers are at the very forefront of everything we do at TSB, and we take their safety and security very seriously. It is our number one priority to offer safe and secure banking facilities for our customers across all of our products and services.

"To achieve this, we maintain complex and multi-layered fraud prevention controls which will not be visible to the customer - or reflected in this survey. We continually review and improve our services to ensure they remain robust and fit for purpose.”

Looking for a new bank? Compare current accounts