UK online banks 'drag feet over security breach'

 

Gallery

By Steve Malone

Posted on 24 Oct 2006 at 13:00

Four out of seven UK online banks have taken no action to close a security hole in their systems despite being warned of the dangers over a month ago. This has been revealed by a company called heise Security.

Using a technique known as 'frame spoofing', heise Security inserts a fake page underneath a genuine bank page which looks identical to the real page. Any personal data entered on this page will be directed to the criminal's server.

The firm is demonstrating a proof of concept page that will open a window with the correct First Direct URL. The page will display part of the First Direct web page, the rest having been replaced with a page from heise Security. Although First Direct is now apparently making changes to the site to make frame spoofing more difficult.

According to heise Security, other sites that were alerted - including Cahoot and the Bank of Scotland - appear to have made no changes to their sites. The Bank of Ireland has closed the hole by installing script code that detects spoofed frames and redirects to an error page. The Link has also corrected its site by no longer using frames - a surefire way of stopping frame spoofing. The Nat West bank is said to have taken some measures to prevent the fraud.