Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Study slams e-banking security in Britain
Options
-
02-10-2006 4:04am#1This is related Irish banks as well and might be of some interest to some of ye. From The Register.
IE 6 shows security holes, suprise, suprise.
Several major British bank websites are subject to security flaws making it easier for phishing fraudsters to craft convincing scams, according to a study by Heise Security, an arm of the German firm behind c't magazine and IT portal Heise Online.
Two major banks (NatWest and UBS) improved the security of their sites since flaws were detailed by Heise last Friday, but other customer-facing e-banking websites remain vulnerable to frame-spoofing and other types of security attack.
Last Friday, Heise published a number of demos to show how phishing fraudsters might be able to overlay the websites of NatWest, Cahoot, Bank of Scotland, Bank of Ireland, First Direct, and Link with rogue frames, potentially served from websites controlled by fraudsters. The same type of attack is also possible against the website of the Dedicated Cheque and Plastic Crime Unit, a bank-sponsored police unit.
Heise demoed these attacks using default IE6 installs not fitted with security patches, a foolhardy configuration that leaves the door open to all sorts of mischief.
Separately, cross site scripting attacks against the websites of UBS and the Bank of England's site were also demonstrated. Frame spoofing attacks can be thwarted providing users are using up to date browser software, but the cross-site scripting attacks it demonstrated can't be addressed by client-side security updates, according to Heise. Both types of attacks require a modicum of skill to carry out, but are far from difficult.
A number of high street banks -- including HSBC, Barclays and the Halifax -- were not vulnerable to Heise Security's tests. HSBC, for example, uses JavaScript code to check the integrity of the frameset, an approach that thwarts frame spoofing even if a surfer is using out-of-date browser software.
Heise is calling on other British banks to improve the security of their services. Since documenting its tests, Nat West has made security improvements that mean its site is no longer easily susceptible to exploitation. The Bank of England has changed its application to filter user input, so the attack demo by Heise now fails to work. UBS has also made security improvements, but portions of its site are still vulnerable to attack, according to Heise.0
Comments
-
-
Heise demoed these attacks using default IE6 installs not fitted with security patches, a foolhardy configuration that leaves the door open to all sorts of mischief.
are these attacks not browser specific?? as in affecting.. (
) :rolleyes:IE6 installs not fitted with security patchesSeveral major British bank websites are subject to security flaws making it easier for phishing fraudsters to craft convincing scams, according to a study by Heise Security, an arm of the German firm behind c't magazine and IT portal Heise Online.
seems like just another pr stunt to plug their own agenda...
"oh, hey..look what we found wrong with these major banks *whisper*using IE6 without patches...sshh*whisper*..buy our magazine! we'll keep you informed about your money!! your security!!...give us your money!"
0
Advertisement