John C. Kirk (johnckirk) wrote,
John C. Kirk
johnckirk

Online banking

In part 1 of my LUA series, I mentioned a virus that modified the HOSTS file on a PC. This meant that each time someone tried to connect to their banking website, they actually went to a fake website instead, even though they'd typed in the correct URL. This could also be a problem if your DNS server gets compromised, or if someone reconfigures your wireless router so that you use a rogue DNS server.

One way to protect yourself is to use https. If you know the correct address for the website, and you see a padlock in the address bar, you can be confident that this is the real site. (This isn't an absolute guarantee, e.g. if your PC is infected by a virus then it could add some self-signed certificates to your trusted store. However, it's certainly a step in the right direction.)Unfortunately, lots of banks haven't quite grasped this concept.

The good

PayPal are a shining example of how to do this right. If you go to:
http://www.paypal.com/
then you automatically get redirected to:
https://www.paypal.com/
You can access the secure site directly, and it has a green bar for "Extended Validation" (EV).

HSBC have two versions of their website:
http://www.hsbc.co.uk/
https://www.hsbc.co.uk/
Again, the secure site uses EV.

Halifax have two versions of their website:
http://www.halifax.co.uk/
https://www.halifax.co.uk/
They don't use EV (so the address bar is white rather than green), but I think a standard certificate is good enough for now.

The bad

Alliance & Leicester have two versions of their website:
http://www.alliance-leicester.co.uk/
https://www.alliance-leicester.co.uk/
The secure site uses EV, but I get a warning message because not all of the content is delivered using https. If you choose to just view the secure content, the address bar is green. If you choose to view everything, you don't get a padlock at all.

Lloyds TSB have their main website here:
http://www.lloydstsb.com/
However, changing "http" to "https" doesn't work:
https://www.lloydstsb.com/
I get an error, because the certificate was issued to "secure.lloydstsb.com". Even if I continue anyway, I can't see the site ("page not found"). Similarly, this site doesn't work either:
https://secure.lloydstsb.com/
They do in fact have a secure login site, which is here:
https://online.lloydstsb.co.uk/
It's not obvious, but it's something you could plausibly remember and type in.

Barclays have two versions of their website:
http://www.bank.barclays.co.uk/
https://www.bank.barclays.co.uk/
Like Alliance & Leicester, you get a warning message about the insecure content. Also, this is a slightly odd address for the website. The more obvious addresses would be:
http://www.barclays.co.uk/
https://www.barclays.co.uk/
These both redirect you to the http site. (It would obviously be better for the second one to redirect you to the https site.)

The ugly

Nationwide only offer an insecure site:
http://www.nationwide.co.uk/
The equivalent secure site simply doesn't exist:
https://www.nationwide.co.uk/
They do offer a secure site for online banking, but it's a bit of a cryptic address:
https://olb2.nationet.com/
Frankly, if I saw that in an email then I'd assume it was a phishing site.

The Royal Bank of Scotland offer a normal version of their website:
http://www.rbs.co.uk/
You can also go to the secure version:
https://www.rbs.co.uk/
However, this redirects you back to the insecure version! At this point, I think there's a fine line between stupidity and malice; they're going out of their way to stop people from using a secure connection. As the lolcats would say, "Ur doin it wrong!" The interesting thing is that they will let you use a secure connection when they advertise their security software:
https://www.rbs.co.uk/global/rapport.ashx
They also have a separate site to login to online banking (which uses EV):
https://www.rbsdigital.com/

NatWest are pretty similar to RBS, presumably because they're both part of "The Royal Bank of Scotland Group Plc". Again, they have a normal site:
http://www.natwest.com/
But their secure site just redirects you back to the insecure version:
https://www.natwest.com/
As with RBS, they offer a secure page to plug the Rapport software:
https://www.natwest.com/global/rapport.ashx
I don't know whether that software is any good, but I think they ought to get their own house in order before they ask me to reconfigure my PC. Their login page for online banking is here (using EV):
https://www.nwolb.com/
(Presumably that's an acronym for NatWest OnLine Banking.)

The Co-Operative Bank have a good reputation for high moral standards, and I've considered moving my accounts over to them. Sadly, they're a bit lacking in technical skills. Like RBS and NatWest, they have a normal website, and a secure site that just redirects back to the insecure one:
http://www.co-operativebank.co.uk/
https://www.co-operativebank.co.uk/
They do offer a secure login page, but it's a really clunky address:
https://welcome27.co-operativebank.co.uk/CBIBSWeb/start.do
With most banks, I've been able to simplify the address by going to the root. In this case, that would be:
https://welcome27.co-operativebank.co.uk/
Unfortunately, that just redirects me back to the insecure version of the main site.

Santander are similar to the Co-Op. They have two versions of their website, but the secure version redirects you to the insecure version:
http://www.santander.co.uk/
https://www.santander.co.uk/
They have a secure login page, but the address is even worse than the Co-Op's:
https://myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=prepare
So, that earns them the bottom spot on my list.

Looking at the Co-Op and Santander, I'd guess that those URLs are subject to change, i.e. they expect you to get there from the insecure site, not to bookmark them. They may well do some kind of "load balancing", e.g. if they have 27 servers for the Co-Op site then they might redirect you to a different one each time. So, just to reiterate what I said above, if someone can put up a fake version of the main (insecure) site, they could redirect you to a fake login page, and it would be hard to spot the difference.

Edit: I've now set up a fake website to demonstrate what I'm talking about (see comments).
Tags: banks, computers, crypto, security
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 17 comments