Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

What have HSBC, UBS and the Bank of England and others in common? Insecure online banking services

September 28th, 2006 · No Comments ·

We have mentioned before how customers are forced to take certain risks when doing online banking, such as here:

UBS Warns of New Virus Attack on E-Banking Site

Swiss Bank Posts Clients’ Accounts

We have also pointed out what should be done to improve security for customers, for instance see:

Recommended Reading – The Potential for a Secure Shell (SSH) Worm – Payment – Online Banking – Use Hashing to Eliminate Risk

In fact, most banks refuse to take any liability for any kind of mishap that could happen when doing online banking.
Following our 10 commandments regarding safer online banking is still the mantra to folloow considering what happened this week: security guide: 10 commandments for more secure online banking

But now more vulnerabilities have been revealed regarding online bankin in the UK. Because some banks use frames, UK customers using the Internet Explorer with default security settings are, therefore, vulnerable to frame spoofing attacks. This issue has been known since 1998. Incidentally, the same kind of attack works (mis)using the site of ‘The Dedicated Cheque and Plastic Crime Unit’, a bank sponsored police force.

UBS and the Bank of England do not use frames. Unfortunately, in UBS’ case, users are exposed to cross-site scripting attacks. Until three days ago, the bank did not filter user input for critical characters. Hence, a malicious user was permitted in creating special URLs that inject HTML or even scripting code into the page displayed on the user’s machine.

UBS and cross-site scripting attacks – more info

Three banks have already reacted and changed their sites. Nat West removed the name of the frame, so that simple attacks no longer work. However the frame can still be addressed and modified using JavaScript. Bank of England updated their vulnerable application to filter user input. UBS changed their online banking application twice, but is still not filtering user input sufficiently.

You can find more details and concrete, working demonstrations of the security problems. here:
You can’t Bank on Security – Testing of UK bank pages reveals possible vulnerabilities

PS. who are the banks – glad you asked:

a) NatWest, Cahoot, Bank of Scotland, Bank of Ireland, First Direct and Link use frames and are vulnerable to spoofing attacks
b) UBS does not filter user input (cross-site scripting attacks) and the Bank of England fixed it on 2006-09-27 changing their application to filter user input,


→ No CommentsTags: 76590 · application · bank · england · filter · frames · heise · input