Four out of seven on-line banks have failed to secure their sites after being alerted over a month ago by information security research and publishing company heise Security, to serious security issues on their web pages for online banking.
On 20th September heise Security published an article demonstrating that many on-line banks were taking too few precautions to protect their customers from phishing attacks.
Some have reacted positively to this and improved their sites, but others seem to have made no changes to their sites, and the responsibility for avoiding phishing scams is still left entirely with their customers.
Heise's original demonstration worked by inserting a fake ("spoofed") page into the online banking page leaving the user almost no chance to detect the spoofing.
Surprisingly, the original demonstration tests for Cahoot, the Bank of Scotland and First Direct all work at the time of writing exactly as they did a month ago, suggesting that no action has been taken to tighten up procedures.
The National Westminster has taken some steps. The site has been changed by removing the names of the frames. However, as tests recently run at heise Security show, it is still vulnerable to frame spoofing attacks as the frames can still be addressed in other ways.
Hopefully the steps taken so far are interim measures.
The Bank of Ireland has fixed its site, and has now included script code that detects spoofed frames and redirects to an error page. The Link has also corrected its site by no longer using frames - this is of course the one infallible way of avoiding an attack using frame spoofing.
Of the six banks found to be vulnerable to frame spoofing only two have been able to implement proper protective measurements during the last month. Four are still vulnerable to phishing attacks.
A separate set of tests focussed on cross site scripting. Two bank sites were originally found to be vulnerable: UBS and the Bank of England (although this does not actually offer on-line banking). The Bank of England has fixed the problem, and the UBS has also introduced some (preliminary?) workarounds, but is still vulnerable.