NatWest bank says the item will enhance the security of its website, following a spat with security experts who spotted a vulnerability.
Several researchers had asked why some banks used encrypted HTTPS connections for online banking, nevertheless not on their main customer-facing websites.
When security expert Troy Hunt told NatWest its site “needed fixing”, the bank replied “sorry you feel This particular way”.
nevertheless the bank has at This particular point told the BBC the item will make improvements within 48 hours.
In a blog post, Mr Hunt suggested attackers could redirect visitors trying to access NatWest’s online banking service, coming from the official address nwolb.com to something visually similar such as nuuolb.com.
Shortly afterwards, NatWest registered the nuuolb.com web address. nevertheless Mr Hunt, who has previously testified before US Congress on matters of cyber-security, said the bank had missed the point.
“We’re seeing ‘Not secure’ next to the address bar,” he said. “I would likely opine of which ‘Not secure’ can be not what you want to see on your bank.”
A spokesman for RBS, which owns NatWest, told the BBC: “We take the security of our services extremely seriously. While we do not currently enforce HTTPS on some of our websites, we are working towards upgrading This particular within the next 48 hours.
“Our online banking channel can be secured with HTTPS.”
Security researchers found several different major banks did not use HTTPS on their homepages.
First Direct told the BBC: “This particular functionality can be something we’re currently reviewing.”
Lloyds Banking Group said the websites for Lloyds as well as Halifax did typically use HTTPS, nevertheless also “allowed HTTP access” if people typed within the web address manually.
“We are within the final stages of correcting This particular as well as expect the item to be resolved This particular week,” a spokesman told the BBC.
Tesco Bank has not responded to the BBC’s request for comment.
What’s the problem?
Online banking websites use HTTPS connections to help keep customer data private.
When a website uses HTTPS (Hyper Text Transfer Protocol Secure), any information sent between your device as well as the website can be encrypted, so the item cannot be read if the item can be intercepted.
However, security researchers found several banks did not use HTTPS on the rest of their websites, including the homepage on which visitors land.
NatWest originally tweeted of which the item did not use HTTPS on its homepage because the item only contained “general information”.
nevertheless the researchers suggested of which without HTTPS an attacker could theoretically modify elements of a bank’s website. They could send victims to a fake online banking site as well as steal their information.
“The homepage can be insecure so you can’t trust anything on the item,” said Mr Hunt.
“This particular can be a banking website. No excuses,” added Stephen Kellett, coming from security firm Software Verify. “All pages, whether performing transactions, the homepage, the about page, the whole lot, they should all be secure. Why? Because they all launch the login page.”
How credible can be the threat?
“There are various ways This particular can be exploited, to lure the client on to a phishing website,” said Dr Mark Manulis, coming from the Surrey Centre for Cyber-security.
A phishing page can be designed to look like a legitimate website to trick people into handing over personal information.
“the item’s possible to spoof the website as well as create a fake login button. Phishing attacks for a long time have been a major threat as well as can be quite sophisticated. This particular makes such attacks easier.”