Web banks still not protecting customers

Web banks still not protecting customers

Four of the UK's biggest banks have failed to fix a security flaw in their online banking systems that was highlighted by Heise Security a month ago.

The online security expert said last month that several bank Web sites contain security flaws that can be exploited and used by online fraudsters to launch convincing "frame spoofing" attacks.

The Heise study showed how phishing fraudsters could overlay the Web sites of NatWest, Cahoot, Bank of Scotland, Bank of Ireland, First Direct and Link with spoof frames. This allows a fraudster to mimic a legitimate site by inserting a frame within the Web site's window.

But in a statement the firm says Cahoot, Bank of Scotland and First Direct have failed to make their online services more secure despite being alerted to the problem last month. Natwest has taken some steps but Heise says its customers are still vulnerable to attack.

But on a more positive note both Bank of Ireland and Link have since fixed their sites. Bank of Ireland has now included script code that detects spoofed frames and redirects to an error page, says Heise, while the Link site no longer uses frames.

In response to the renewed warning banks have been quick to reassure customers that the problem is being fixed. Rob Skinner at First Direct told reports that the direct bank is updating its security "this week" and is not aware of anyone who has "lost out" as a result of the flaw.

Morag Fleming at Cahoot told reporters that the Web bank has been working on eliminating any potential risk and "will have a permanent fix in place shortly", while Jason Clarke at Bank of Scotland says worked to fix the flaw on the BoS site "should be complete this week".

Comments: (0)