NatWest financial institution has enhanced the safety of its web site, following a spat with safety consultants who noticed a vulnerability.
A number of researchers had requested why some banks used encrypted HTTPS connections for on-line banking, however not on their important customer-facing web sites.
When safety skilled Troy Hunt instructed NatWest its web site “wanted fixing”, the financial institution replied “sorry you’re feeling this fashion”.
However the financial institution instructed the BBC it will make modifications inside 48 hours.
The modifications had been carried out on Thursday night time.
In a weblog submit, Mr Hunt advised attackers may redirect guests making an attempt to entry NatWest’s on-line banking service, from the official handle nwolb.com to one thing visually comparable corresponding to nuuolb.com.
Shortly afterwards, NatWest registered the nuuolb.com net handle. However Mr Hunt, who has beforehand testified earlier than US Congress on issues of cyber-security, stated the financial institution had missed the purpose.
“We’re seeing ‘Not safe’ subsequent to the handle bar,” he stated. “I’d opine that ‘Not safe’ is just not what you need to see in your financial institution.”
A spokesman for RBS, which owns NatWest, instructed the BBC: “We take the safety of our companies extraordinarily severely. Whereas we don’t at present implement HTTPS on a few of our web sites, we’re working in the direction of upgrading this within the subsequent 48 hours.
“Our on-line banking channel is secured with HTTPS.”
A number of others
Safety researchers discovered a number of different main banks didn’t use HTTPS on their homepages.
First Direct instructed the BBC: “This performance is one thing we’re at present reviewing.”
Lloyds Banking Group stated the web sites for Lloyds and Halifax did usually use HTTPS, however had additionally “allowed HTTP entry” if individuals typed within the net handle manually.
“We’re within the ultimate levels of correcting this,” a spokesman instructed the BBC. It carried out modifications on Thursday night.
Tesco Financial institution has not responded to the BBC’s request for remark.
What’s the issue?
On-line banking web sites use HTTPS connections to assist hold buyer information personal.
When a web site makes use of HTTPS (Hyper Textual content Switch Protocol Safe), any data despatched between your gadget and the web site is encrypted, so it can’t be learn whether it is intercepted.
Nonetheless, safety researchers discovered a number of banks didn’t use HTTPS on the remainder of their web sites, together with the homepage on which guests land.
NatWest initially tweeted that it didn’t use HTTPS on its homepage as a result of it solely contained “common data”.
However the researchers advised that with out HTTPS an attacker may theoretically modify components of a financial institution’s web site. They may ship victims to a faux on-line banking web site and steal their data.
“The homepage is insecure so you may’t belief something on it,” stated Mr Hunt.
“This can be a banking web site. No excuses,” added Stephen Kellett, from safety agency Software program Confirm. “All pages, whether or not performing transactions, the homepage, the about web page, the whole thing, they need to all be safe. Why? As a result of all of them launch the login web page.”
How credible is the risk?
“There are numerous methods this may be exploited, to lure the consumer on to a phishing web site,” stated Dr Mark Manulis, from the Surrey Centre for Cyber-security.
A phishing web page is designed to appear like a official web site to trick individuals into handing over private data.
“It is potential to spoof the web site and create a faux login button. Phishing assaults for a very long time have been a significant risk and may be fairly subtle. This makes such assaults simpler.”