Research by Heise Verlag, a German publishing company, demonstrates serious security issues with the customer-facing web sites of major UK banks.

Heise Verlag has set up a series of demonstrations on their UK web site (link below), demonstrating simple successful attacks against UK bank web sites, e.g. frame spoofing attacks against NatWest, Cahoot, Bank of Scotland, Bank of Ireland, first Direct and Link. These attacks demonstrate how successful phishing can easily be implemented using the web sites of these financial institutions. Incidentally, the same attack works against The Dedicated Cheque and Plastic Crime Unit, a bank sponsored police force.

In a separate demonstration the researchers demonstrate a successful Cross Site Scripting (CSS) attack against the UBS internet banking site, and a similar attack using Bank of England's site.

The amazing fact is that all these attacks are basic, exploiting issues some of which have been well known for seven or eight years - and still these banks are running vulnerable sites, placing their customers at considerable risk, e.g. from phishing attacks potentially leading to identity theft. It should also the noted that modern browsers, which are up to date on security, and run in a secure manner, will prevent the frame spoofing attacks but of course not cross scripting attacks.

These demos expose a serious attitude problem at some major institutions. They are issues which simple regular penetration testing and code review procedures conducted by competent security experts, or even automatic attack programs, would expose. That you find major web sites displaying such basic errors, and what seems to amount to total contempt for customer security is no less than shocking.

Heisec also notes that some UK banks seem to handle their security in a more responsible manner, e.g. Barclays and the Halifax.

--Ed

Related links: (Open in a new window.)
www.heise-security.co.uk/articles/76590/0

View printable version (opens in new window)
Back