ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
NatWest bank spat prompts web security changes
NatWest bank says it will enhance the security of its website, following a spat with security experts who spotted a vulnerability.
Several researchers had asked why some banks used encrypted HTTPS connections for online banking, but not on their main customer-facing websites.
When security expert Troy Hunt told NatWest its site “needed fixing”, the bank replied “sorry you feel this way”.
But the bank has now told the BBC it will make changes within 48 hours.
In a blog post, Mr Hunt suggested attackers could redirect visitors trying to access NatWest’s online banking service, from the official address nwolb.com to something visually similar such as nuuolb.com.
Shortly afterwards, NatWest registered the nuuolb.com web address. But Mr Hunt, who has previously testified before US Congress on matters of cyber-security, said the bank had missed the point.
“We’re seeing ‘Not secure’ next to the address bar,” he said. “I would opine that ‘Not secure’ is not what you want to see on your bank.”
A spokesman for RBS, which owns NatWest, told the BBC: “We take the security of our services extremely seriously. While we do not currently enforce HTTPS on some of our websites, we are working towards upgrading this in the next 48 hours.
“Our online banking channel is secured with HTTPS.”
Security researchers found several other major banks did not use HTTPS on their homepages.
First Direct and Tesco Bank have yet to respond to the BBC’s request for comment.
Lloyds Banking Group said the websites for Lloyds and Halifax did typically use HTTPS, but also “allowed HTTP access” if people typed in the web address manually.
“We are in the final stages of correcting this and expect it to be resolved this week,” a spokesman told the BBC.
What’s the problem?
Online banking websites use HTTPS connections to help keep customer data private.
When a website uses HTTPS (Hyper Text Transfer Protocol Secure), any information sent between your device and the website is encrypted, so it cannot be read if it is intercepted.
However, security researchers found several banks did not use HTTPS on the rest of their websites, including the homepage on which visitors land.
NatWest originally tweeted that it did not use HTTPS on its homepage because it only contained “general information”.
But the researchers suggested that without HTTPS an attacker could theoretically modify elements of a bank’s website. They could send victims to a fake online banking site and steal their information.
“The homepage is insecure so you can’t trust anything on it,” said Mr Hunt.
“This is a banking website. No excuses,” added Stephen Kellett, from security firm Software Verify. “All pages, whether performing transactions, the homepage, the about page, the whole lot, they should all be secure. Why? Because they all launch the login page.”
How credible is the threat?
“There are various ways this can be exploited, to lure the client on to a phishing website,” said Dr Mark Manulis, from the Surrey Centre for Cyber-security.
A phishing page is designed to look like a legitimate website to trick people into handing over personal information.
“It’s possible to spoof the website and create a fake login button. Phishing attacks for a long time have been a major threat and can be quite sophisticated. This makes such attacks easier.”
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.