IT Security

Share to Facebook Share to Twitter Share to Google Plus Share to LinkedIn

Following security flaws in their online banking website, which has been pointed out by security experts, London-based bank ,Natwest, say they will enhance their security.

Not using HTTPS across all pages

They’ve been criticized for only using HTTPS connections on their actual online banking pages itself rather than all pages including their main customer pages. This leaves them open to potential threats of attackers, who could gain access and change links on their website, to their own spoofed and fake versions of the banking system.

Natwest has told the BBC, following the comments from security expert Troy Hunt, that they will make changes to their website by Saturday.

Why is it important to use HTTPS connections?

HTTPS (Hyper Text Transfer Protocol Secure) is a connection type which encrypts data sent from your own device to a website. This makes it much harder to decode if intercepted. This leaves the website vulnerable and more prone to modifications from attackers, allowing them to use a technique called ‘phishing’.

Phishing for customer data

Natwest’s specific online banking login page is nwolb.com, however, phishing would mean that visually similar domains such as nuuolb.com, could be set-up to look exactly like Natwest’s site but be used to harvest data.

This specific example was pointed out by Hunt, leading Natwest to immediately register the domain in question. However, he stated that the bank had missed the point of what he was trying to tell them.

Other banks also needing to implement HTTPS across website

Although Natwest is a specific example here – many other banks face the same threat. Banks such as Halifax, Tesco and First Direct also do not use HTTPS on their pages that aren’t related directly to the banking log-in and services.

There’s hope that this criticism of Natwest’s website will push banks to realise the importance of HTTPS across all pages on their website, as most are just one-click away from the log-in page. All it takes is the modification of the destination of this one-click to be successfully phished.

Further Reading

For more information please visit: http://www.bbc.co.uk/news/technology-42353478 and related article https://www.ec2it.co.uk/it-security/registered-domains-imitating-banking-websites