UK Banks Still Make Life Too Easy For ID Thieves

London - October 23rd 2006

Four out of seven on-line banks have failed to secure their sites after being alerted over a month ago by information security research and publishing company heise Security, to serious security issues on their web pages for online banking. On 20th September heise Security published an article demonstrating that many on-line banks were taking too few precautions to protect their customers from phishing attacks.

Some have reacted positively to this and improved their sites, but others seem to have made no changes to their sites, and the responsibility for avoiding phishing scams is still left entirely with their customers.

Heise's original demonstration [1] worked by inserting a fake ("spoofed") page into the online banking page leaving the user almost no chance to detect the spoofing.

Surprisingly, the original demonstration tests for Cahoot, the Bank of Scotland and First Direct all work at the time of writing exactly as they did a month ago, suggesting that no action has been taken to tighten up procedures.

The National Westminster has taken some steps. The site has been changed by removing the names of the frames. However, as tests recently run at heise Security show, it is still vulnerable to frame spoofing attacks as the frames can still be addressed in other ways. Hopefully the steps taken so far are interim measures.

The Bank of Ireland has fixed its site, and has now included script code that detects spoofed frames and redirects to an error page. The Link has also corrected its site by no longer using frames - this is of course the one infallible way of avoiding an attack using frame spoofing.

Of the six banks found to be vulnerable to frame spoofing only two have been able to implement proper protective measurements during the last month. Four are still vulnerable to phishing attacks.A separate set of tests focussed on cross site scripting. Two bank sites were originally found to be vulnerable: UBS and the Bank of England (although this does not actually offer on-line banking). The Bank of England has fixed the problem, and the UBS has also introduced some (preliminary?) workarounds, but is still vulnerable.

By coincidence, just a couple of days after heise Security's article demonstrated that web pages for online banking ignored some of the most basic security measures that every web developer should be aware of, the Association for Payment Clearing Services (APACS), the organisation that co-ordinates the banking industry's efforts to combat online banking fraud, released a new report [2]. This was entitled: "New research reveals that people are still unaware of basic security measures when banking online. This also described how the number of phishing attacks "has risen dramatically over the past year" (by over 800%!). It is a pity that the report does not also ask if the banks themselves are aware of the most basic security measures that could make their customers safer when online. Perhaps the banking industry should set its own house properly and promptly in order before blaming its customers. The report also claims that an estimated half a million people in the UK "said they would still respond to an unsolicited email asking them to follow a link and re-enter personal security details".

All of this emphasises the point made by heise Security in earlier articles that it is in the banks' own best interest to help their customers feel safe and secure when banking online. It hardly makes good business sense for them to neglect the steps they could take and insist, as so many of them do, that users take sole responsibility for their security when online.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development