Many UK banks could do better to protect customers from phishing attacks

There are two parties involved in any secure relationship, such as that between a customer and their bank. With the ever increasing volume of phishing emails trying to tease from unsuspecting users personal information, passwords, pin-codes and the like, all too often the emphasis is placed solely on the user having to take great care and avoid falling for the tricks of phishers – following links in spoof emails and being fooled into parting with information.

Only recently, some Bank of Ireland customers fell victim to a phishing attack in which they supplied personal banking details to a phoney web site. It was reported that the phishers made off with around £75,000 in this attack. The bank issued a warning, and said that customers should never reveal their PINs or passwords to anyone and were responsible for keeping login details safe.

Certainly, users need to be aware of the dangers, and take care not to fall into phishing and similar traps. But many users are new and unfamiliar with the tricks involved, we are all capable of making mistakes, and some are simply gullible by nature or do not understand the methods involved and need as much protection as can be provided. It is therefore important that the institutions whom phishers try to mimic also play their part, and we recently conducted a set of relatively trivial tests to see if the major UK on-line banks were using everything available to them to help to combat phishing.

In order to check for the most basic vulnerabilities, we tried nothing sophisticated, nothing that took more than half an hour to try out - most much less than this. And yet we have found that many on-line banking systems simply do not have the most basic precautions in place to help shield their customers from falling victim to phishing. Some, such as HSBC, were immune to the level of testing we employed. This is naturally a good sign, but does not of course guarantee that they are completely secure. We tested for two kinds of vulnerability: frame spoofing and cross site scripting.

Of the nine on-line banks that we investigated, only three – HSBC, Barclays and the Halifax – passed both of our tests. UBS proved vulnerable to cross site scripting, and the following were vulnerable to frame spoofing: Bank of Scotland, Bank of Ireland, NatWest, First Direct and Cahoot.

Demonstrations of many of the problems we discovered can be seen in our article "You can't Bank on Security". Most of these demos work only in Internet Explorer using its default settings, but this is probably how most people browse the internet. Having your browser set correctly can help defend against phishing attacks. For information on how to do this, see the heisec Browsercheck.

(ehe)