Natwest changes website security following heated exchange with cyber experts

The bank's website wasn't served over an encrypted connection

Natwest bank

Natwest bank has said it will update the security of its website following a heated online exchange with a number of security experts who spotted the vulnerability.

Liam Blizzard, a web developer, found that Natwest's customer-facing website wasn't secure, then security researchers Troy Hunt and Stephen Kellett pointed out that this meant the login link on their website couldn't be trusted.

"The homepage is insecure so you can't trust anything on it. The link to the login page is on it. You can't trust the link to the login page. Make sense?," said Hunt.

Natwest responded with a curt tweet telling Hunt "sorry you feel this way" which in turn prompted Hunt to state that the bank was "fundamentally misunderstanding the technology".

Hunt explained in a blog post that since the website is served over HTTP it's not an encrypted connection and data flowing to and from it can be intercepted, read, and modified, and requests could be redirected to other locations.

Hunt was also frustrated with the fact that although the online banking service, which is linked but separate from Natwest's main site, was secure, an attacker could still intercept the traffic between the two sites and redirect visitors trying to access the online banking service via the homepage from its official address nwolb.com to something similar such as nuuolb.com.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

After publishing the initial blog post, Hunt revealed: "NatWest went and registered that domain in what I assume is an attempt to stop a man in the middle intercepting their traffic and making a visually trivial change to a URL. Alarmingly though, nw0lb.com is still available as is nuu0lb.com and it-doesnt-matter-because-that-isnt-the-point.com."

A spokesperson for Natwest told IT Pro: "We have now fixed the issue which was affecting some of our customer facing websites. It has now been fixed -- see blog below" and linked to Hunt's blog post.

The bank later added: "Our websites now enforce the HTTPS protocol so that customers visiting the website via either http:// or https:// will be sent to the protected site."

Hunt did praise NatWest's rapid response to the issue, but it still serves to highlight how even some of the largest companies don't always have the processes and oversight in place to ensure their security is up-to-date and resilient to cyber attacks and opportunistic hackers. 

Advertisement - Article continues below

Image source: Shutterstock

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now
Advertisement

Most Popular

Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354193/buy-it-to-grow-not-slow-your-business
Sponsored

Buy IT to grow, not slow, your business

25 Nov 2019
Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019