Research revealed yesterday claims that four online banks have failed to secure their sites despite warnings from security company, Heise Security of serious security issues a month ago.
The company told UK banking sites they were taking insufficient steps to protect customers from phishing scams last month, demonstrating how the sites could be easily used by scammers.
Heise inserted a fake page on to several online banks’ websites, and claimed users would have almost no chance of detecting the spoof. The security firm said the test still worked on the Cahoot, Bank of Scotland and First Direct websites this morning. Natwest has taken some steps to plug the hole, while the Bank of Ireland had fixed its site by including script code that detects spoofed frames and redirects to an error page.
The security firm said banks should do more to protect their customers, quoting recent research from the Association of Payment Clearing Services (Apacs) warning that users were still unaware of basic security measures when banking online.
Apacs, a trade association for the U.K. payments market, also reported that the number of phishing attacks has surged by 800% over the past year.
"It is a pity that the report does not also ask if the banks themselves are aware of the most basic security measures that could make their customers safer when online," said Heise. "Perhaps the banking industry should set its own house properly and promptly in order before blaming its customers.
It also said no longer using frames was the one infallible way of avoiding an attack using frame spoofing, which had deployed by mobile retailer The Link.
The results of Heise’s security research are available on its website