Many Online Bank Sites Still not Protecting Users
Four out of seven on-line banks have failed to secure their sites after being alerted over a month ago by heise Security to serious security issues on their web pages for online banking. On 20th September heise Security published an article, demonstrating that many on-line banks were taking too few precautions to protect their customers from phishing attacks. Some have reacted positively to this and improved their sites, but others seem to have made no changes to their sites, and the responsibility for avoiding phishing scams is still left entirely with their customers.
Our original demonstration tests worked by inserting a fake page into the online banking page leaving the user almost no chance to detect the spoofing. An artificial page created on these line pretending to be of a particular bank would be almost impossible to spot. As an example, see the following demonstration (which requires default settings in Internet Explorer 6 and Active Scripting to work):
If this demonstration works correctly, a window will open with the correct First Direct URL, it will display part of the First Direct web page, the rest having been replaced with a page from heise Security, as in the screen shot below.
Surprisingly, the original demonstration tests for Cahoot, the Bank of Scotland and First Direct all work at the time of writing exactly as they did a month ago, suggesting that no action has been taken to tighten up procedures.
However, shortly before publishing this article, First Direct informed heise Security that it intends to have a fix in place to counter frame spoofing during the next few working days.
The National Westminster has also taken some steps. The site has been changed by removing the names of the frames. However, as tests recently run at heise Security show, it is still vulnerable to frame spoofing attacks as the frames can still be addressed in other ways. Hopefully the steps taken so far are interim measures.
The Bank of Ireland has fixed its site, and has now included script code that detects spoofed frames and redirects to an error page. The Link has also corrected its site by no longer using frames - this is of course the one infallible way of avoiding an attack using frame spoofing.
Of the six banks that we found to be vulnerable to frame spoofing only two have been able to implement proper protective measurements during the last month. Four are still vulnerable to phishing attacks.
Our other tests focussed on cross site scripting, and we originally found two bank sites that were vulnerable: UBS and the Bank of England (although this does not actually offer on-line banking). The Bank of England has fixed the problem, and the UBS has also introduced some (preliminary?) workarounds, but is still vulnerable.
Just a couple of days after our article demonstrated that web pages for online banking ignored some of the most basic security measures that every web developer should be aware of, the Association for Payment Clearing Services (APACS), the organisation that co-ordinates the banking industry's efforts to combat online banking fraud, released a new report. This was entitled: "New research reveals that people are still unaware of basic security measures when banking online" (our italics). This also described how the number of phishing attacks "has risen dramatically over the past year" (by over 800%!). It is a pity that the report does not also ask if the banks themselves are aware of the most basic security measures that could make their customers feel safer when online. Perhaps the banking industry should set its own house properly and promptly in order before blaming its customers. The report also claims that an estimated half a million people in the UK "said they would still respond to an unsolicited email asking them to follow a link and re-enter personal security details".
All of this emphasises the point we made in our earlier articles that it is in the banks' own best interest to help their customers feel safe and secure when banking online. It hardly makes good business sense for them to neglect the steps they could take and insist as so many of them do that users take sole responsibility for their security when online.