Sadly we still see internet banking sites with rookie mistakes in configuration and/or coding. Many are susceptible to XSS and frame spoofing attacks. According to a study published by German site Heise Security
Two major banks (NatWest and USB) improved the security of their sites since flaws were detailed by Heise last Friday, but other customer-facing e-banking websites remain vulnerable to frame-spoofing and other types of security attack.
Last Friday, Heise published a number of demos to show how phishing fraudsters might be able to overlay the websites of NatWest, Cahoot, Bank of Scotland, Bank of Ireland, First Direct, and Link with rogue frames, potentially served from websites controlled by fraudsters. The same type of attack is also possible against the website of the Dedicated Cheque and Plastic Crime Unit, a bank-sponsored police unit.
Having worked for an internet banking site years ago I’m aware of the pressures that bank staff are under to keep the site “live” but, I’m also very aware of the importance of ensuring the safety and security of the customer data (understatement of the year award).
Since documenting its tests, Nat West has made security improvements that means its site is no longer easily susceptible to exploitation. The Bank of England has changed its application to filter user input, so the attack demo by Heise now fails to work. UBS has also made security improvements, but portions of its site are still vulnerable to attack, according to Heise.
Mental note…don’t open an account with…
[tags]Online Banking, Website Vulnerabilities, Online Fraud, Frame Spoof, Heise[/tags]