Study: UK banks make it easy for ID thieves

Online banks are failing to protect customers against phishing attacks, according to research published today.

The study, conducted by information security research and publishing company heise Security, found that many UK banks are vulnerable to attacks using frame spoofing and cross site scripting (XSS).

It found six out of seven online banks were susceptible to such attacks, with four failing to secure their sites, after heise Security informed them of the vulnerabilities on their web pages over a month ago.

Heise Security published the warning online showing how cyber criminals can launch phishing attacks on online customers, because of the lack of precautions used by UK banks on their websites.

The security company tested the banks by inserting a frame spoof into the online banking page and demonstrating how a real hacker could post a page without the user detecting it's a fake.

The security firm claims Cahoot, Bank of Scotland and First Direct have taken no action to improve the security on their sites since it was published.

However, several banks do appear to have taken steps to tighten up procedures on their online banking pages. NatWest has removed the names of the frames, the Bank of Ireland has inserted a script code that can detect spoofed frames and redirects the user to an error page, and the Link has stopped using frames altogether.

According to heise Security, the XSS tests found UBS and the Bank of England to be susceptible; however, the Bank of England has fixed the problem whilst UBS has introduced some measures but remains vulnerable.

Edward Henning, managing editor at heise Security UK said both online customers and banks are responsible for reducing security breaches, but it's in the bank's business interest to do more.

"Financial organisations save money with customers banking online. Therefore it's up to the banks to make them feel secure enough to complete their transactions on the web, but they seem to be slow in doing this," he said.

"A simple solution is to stop using frames. Any site that interacts with the user poses a security threat, so don't use them and adopt scripts that check the frame structure instead. Banks can also structure the website in a way that people can't take advantage of XSS, but these aren't small changes and can take time," he continued.

Nevertheless Henning said software developers need to start building websites with these vulnerabilities in mind: "When these banking websites were developed phishing probably didn't exist. But it's a rapidly growing phenomenon that banks need to start taking seriously."

Last month a report on fraud against online banks claimed that phishing attacks had risen by 800 per cent in the year to August.

Published by APACS, it said that month there were 1,484 such incidents among UK online bank customers.

Sign up to our newsletters