Metro Bank received the worst Which? rating for online banking security overall, while digital bank Monzo was scored as having the worst security on its app due to not asking for a password every time users logged in.
The findings were based on an investigation carried out by cyber security firm 6point6.
It comes amid a rising tide of fraud. Close to 42,000 victims lost money to online banking scams in the first half of 2021 alone, almost double the number of cases over the same period the prior year, according to figures from the banking trade body UK Finance.
A number of banks said they were working on improving their security, including Santander, which said it was phasing out allowing first names as passwords, as well as text message verification.
Providers are under increasing financial pressure to prevent fraud and face being forced to reimburse “push-payment fraud” victims under plans for new laws backed by the Government, unless customers have been found to be negligent.
Close to half a billion was lost to this type of fraud in 2020, but banks returned just £207m to victims under the current guidelines. The proposed rule change is designed to give firms the incentive to do more to combat rising levels of financial crime.
A spokesman for Triodos said it took fraud “very seriously”, while a Metro Bank spokesman said it had a range of “continuously evolving controls” in place to protect customers.
Monzo defended its security measures, saying it “strongly” disagreed with the findings of the report. All banks highlighted by the report said online security was a major priority.