NATWEST BANK HAS confirmed that it will be bringing in new security procedures after a warning from a researcher was greeted with a canned customer service response.
Troy Hunt had warned Natwest that its homepage was not properly secured with HTTPS encryption, making it significantly more prone to hacking, even though the rest of the site is properly secured.
Hunt points out that attackers could, therefore, quite easily redirect people landing on the unencrypted pages to phishing versions of the mobile banking part of the site.
But when he pointed out to Natwest that it wasn’t enough to encrypt online banking, he was told “I’m sorry you feel this way”, a statement so cardboard it actually conjures up less empathy than more.
You’re missing the point: when people want to logon they go to your homepage. The homepage is insecure so you can’t trust anything on it. The link to the login page is on it. You can’t trust the link to the login page. Make sense?
— Troy Hunt (@troyhunt) December 12, 2017
The bank has since apologised and confirmed that it will switch to full HTTPS encryption within 48 hours.
Security researchers have also spotted other banks with the same issue. First Direct is currently working on adding encryption, though HSBC UK already has it. Lloyds and TSB have it by default but it can be overridden by typing “HTTP” into the address bar.
Although Natwest does not, parent bank RBS does have HTTPS switched on.
Nationwide and Barclays, of the ones we tested, were most definitely armed to the hilt.
The key is to look for a green padlock in the browser bar. A red padlock crossed out is a warning to take care.
Google is already actively discouraging the use of unencrypted addresses, and actually marks them down in search results. µ
Source : Inquirer