The Channel logo


By | John Leyden 28th September 2006 12:17

UK banking websites' security slammed

Frame spoof vulnerabilities rife, warns Heise

Several major UK bank websites are subject to security flaws that make it easier for phishing fraudsters to craft more convincing scams, according to a study by Heise Security, a UK arm of the German firm behind c't magazine and German IT portal Heise Online.

Two major banks (NatWest and USB) improved the security of their sites since flaws were detailed by Heise last Friday, but other customer-facing e-banking websites remain vulnerable to frame-spoofing and other types of security attack.

Last Friday, Heise published a number of demos to show how phishing fraudsters might be able to overlay the websites of NatWest, Cahoot, Bank of Scotland, Bank of Ireland, First Direct, and Link with rogue frames, potentially served from websites controlled by fraudsters. The same type of attack is also possible against the website of the Dedicated Cheque and Plastic Crime Unit, a bank-sponsored police unit.

Heise demoed these attacks using default IE6 installs not fitted with security patches, a foolhardy configuration that leaves the door open to all sorts of mischief.

Separately, cross site scripting attacks against the websites of USB and the Bank of England's site were also demonstrated. Frame spoofing attacks can be thwarted providing users are using up to date browser software, but the cross-site scripting attacks it demonstrated can't be addressed by client-side security updates, according to Heise. Both types of attacks require a modicum of skill to carry out, but are far from difficult.

A number of high street banks - including HSBC, Barclays and the Halifax - were not vulnerable to Heise Security's tests. HSBC, for example, uses JavaScript code to check the integrity of the frameset, an approach that thwarts frame spoofing even if a surfer is using out-of-date browser software.

Heise is calling on other UK banks to improve the security of their services. Since documenting its tests, Nat West has made security improvements that means its site is no longer easily susceptible to exploitation. The Bank of England has changed its application to filter user input, so the attack demo by Heise now fails to work. USB has also made security improvements, but portions of its site are still vulnerable to attack, according to Heise. ®

alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe