UK Banks Still Make Life Too Easy For ID Thieves

By published

Four out of seven on-line banks have failed to secure their sites after being alerted over a month ago by information security research and publishing company heise Security, to serious security issues on their web pages for online banking.

On 20th September heise Security published an article demonstrating that many on-line banks were taking too few precautions to protect their customers from phishing attacks.

Some have reacted positively to this and improved their sites, but others seem to have made no changes to their sites, and the responsibility for avoiding phishing scams is still left entirely with their customers.

Heise's original demonstration worked by inserting a fake ("spoofed") page into the online banking page leaving the user almost no chance to detect the spoofing.

Surprisingly, the original demonstration tests for Cahoot, the Bank of Scotland and First Direct all work at the time of writing exactly as they did a month ago, suggesting that no action has been taken to tighten up procedures.

The National Westminster has taken some steps. The site has been changed by removing the names of the frames. However, as tests recently run at heise Security show, it is still vulnerable to frame spoofing attacks as the frames can still be addressed in other ways.

Hopefully the steps taken so far are interim measures.

The Bank of Ireland has fixed its site, and has now included script code that detects spoofed frames and redirects to an error page. The Link has also corrected its site by no longer using frames - this is of course the one infallible way of avoiding an attack using frame spoofing.

Of the six banks found to be vulnerable to frame spoofing only two have been able to implement proper protective measurements during the last month. Four are still vulnerable to phishing attacks.

A separate set of tests focussed on cross site scripting. Two bank sites were originally found to be vulnerable: UBS and the Bank of England (although this does not actually offer on-line banking). The Bank of England has fixed the problem, and the UBS has also introduced some (preliminary?) workarounds, but is still vulnerable.

Désiré Athow
Désiré Athow

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at ITProPortal.com where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.