Major UK Bank Web Sites With Serious Security Flaws

[Juergen Schmidt <ju () heisec de>]

Major UK Bank Web Sites With Serious Security Flaws

Tests conducted by heise Security show that the online
banking web sites of eight major UK Banks are
vulnerable to long known security issues.

NatWest, Cahoot, Bank of Scotland, Bank of Ireland,
First Direct and Link use frames on their web
sites. This means that customers of those banks using
Internet Explorer, in the default configuration, are
vulnerable to frame spoofing attacks. This issue has
been known since 1998.  Incidentally, the same kind of
attack works (mis)using the site of 'The Dedicated
Cheque and Plastic Crime Unit', a bank sponsored police
force.

UBS and the Bank of England are vulnerable to very
simple cross site scripting attacks.

All vulnerabilties could be used by attackers to mount
advanced phishing attacks, using the context of the
original banking site. The user still sees a valid
certificate and the correct address in the address bar.

heise Security has informed all eight banks and has set
up demos that illustrate these problems. Three banks
have already reacted and changed their sites. Nat West
removed the name of the frame, so that simple attacks
no longer work. However the frame can still be
addressed and modified using JavaScript. Bank of
England updated their vulnerable application to filter
user input. UBS changed their online banking
application twice, but is still not filtering user
input sufficiently.

You can find more details and concrete, working
demonstrations of the security problems in the article
"You can't bank on security" on
http://www.heise-security.co.uk/articles/76590

bye, ju

--
Juergen Schmidt
editor-in-chief
heise Security



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/