News
'ID theft risk' on bank websites
23/10/06
Three UK banks are failing to prevent the possible theft of online customers' identity reported by the BBC
An online security company has warned they have failed to make their banking websites more secure against phishing attacks. In September, Heise Security showed how the sites of six banks could be spoofed so that criminals could steal details of their users' identities.
Cahoot, Bank of Scotland and First Direct say they are fixing the problem.
Spoofing. Heise first revealed the potential problems in September it showed that it was possible for a fake or spoofed page to be inserted onto the web sites of six online banks, with no chance of ordinary customers being able to detect that anything was wrong.
These security issues have been known for years, said Mr Henning.
They should have been tied up a long time ago.
The flaws could have lead to customers typing in their security details which would then be collected by the fraudsters. Since then the Bank of Ireland has changed its site so this can no longer happen, and so has The Link. NatWest has also taken some steps.
Rob Skinner, spokesman for First Direct - part of the HSBC group - said the bank had been testing its website security rigorously since the problem was first revealed. We are updating our security this week to address this matter, he said. There are no cases of anyone actually doing this.
A similar response has come from the other two banks pinpointed by the research, although they argued that the security risk was slight. A Cahoot spokeswoman, Morag Fleming said: Cahoot is aware of the theoretical risk of which Heise has reported. We have been working on eliminating any potential risk from spoof framing and will have a permanent fix in place shortly.
Jason Clarke, a spokesman for the Bank of Scotland, said: We do not believe the issue identified constitutes a significant risk to the vast majority of customers. However, we have taken steps to resolve the matter in the interests of maintaining the highest levels of security. Work on the BoS site and should be complete no later than next week, he added.
Last month a report on fraud against online banks claimed that so-called phishing attacks had risen by 800% in the year to August. It said that month there were 1,484 such incidents among UK online bank customers.
The report, published by Apacs, suggested that of the 15.7 million people who regularly operate their current, savings and credit card accounts over the internet, only half a million - nearly 4% - would respond to unsolicited emails asking them to divulge their security details.
But 35% recorded their password or security information in writing or somewhere near their computer. And nearly two thirds never change their password, while one in five use the same password for other websites as well as their online bank accounts.
Archives
-
Few Delegate Places Remaining for CONSEC 2011 the ASC's International Conference and Exhibition 3rd November. Registration Details.
-
CONSEC 2011 of interest to consultants, government, commercial, all those who have responsibility for security and safety of staff. See Programme.
-
Outstanding Speakers Scheduled for ASC's Annual International Conference 3rd November 2011
-
"Out of Recession to Securing the Future" is the theme for the ASC's Annual International Conference CONSEC 2011
-
ASC Board Announces Addition to Association's Patrons
-
"Imagination, Innovation and Integration"
-
Nominations for the ASC's 2011 Imbert Prize
-
All Sponsorship Packages Taken for ASC's International Showcase, CONSEC, 3rd November 2011
-
"Thinking Outside of the Box"
-
Change of Name for ASC Business Club