Latest News

NatWest cybercrime vulnerability highlighted

By Scott Thompson

An email security specialist organisation has identified a simple yet important flaw in online banking systems which could be exposing unknowing customers to cyber-orientated threats. Graeme Batsman, director at Atbash, has spotted a vulnerability in the system used by NatWest, highlighting a susceptibility to phishing emails and malware.

The flaw identified in the bank's current email security set up has been found to decrease the possibility of phishing emails being identified and filtered out safely. Batsman comments: "Being a security techy, I spent time pulling software, spoofed emails or viruses apart to see exactly how they work and where the possible flaws can be seen. During early July I was handed a sample of an email from NatWest which slipped past the security system. After inspecting the problem and testing the vulnerability I identified that the problem was a missing SPF record."

He adds: "To put it simply NatWest's email servers are based within the United Kingdom, so if someone was sending an email from New Zealand pretending to be NatWest, it should get blocked. When an email is sent there is a simple check done in the background to see where the email should come from (in this case UK) and where is actually comes from (in this case New Zealand), If the two do not tie up then email servers will determine the email to be fake and it will be blocked."

Batsman says that, unlike other cyber threats facing large corporations with an obligation to protect customer data, this particular vulnerability in the NatWest system would have cost nothing to address. By integrating an SPF record on the system, the bank would have increased the chance of email spam filters detecting that the email is a fake and as a result offering better protection for their customers.

Whilst NatWest.com does have SPF records set up, the critical domain nwolb.com which is used for online banking login does not. Rivals such as Metro Bank, Barclays, Santander and Lloyds already have SPF records setup for their domains which relate to online banking login paths.

    Share Story:

Recent Stories

Barclaycard survey reveals 73% of retailers 'experienced fraud reduction' since SCA launch

Barclays issued with $361m penalty

Toqio raises €20m in Series A funding round


Creating value together: Strategic partnerships in the age of GCCs
As Global Capability Centres reshape the financial services landscape, one question stands out: how do leading banks balance in-house innovation with strategic partnerships to drive real transformation?

BANNER

BANNER

Data trust in the AI era: Building customer confidence through responsible banking
In the second episode of FStech’s three-part video podcast series sponsored by HCLTech, Sudip Lahiri, Executive Vice President & Head of Financial Services for Europe & UKI at HCLTech examines the critical relationship between data trust, transparency, and responsible AI implementation in financial services.

Banking's GenAI evolution: Beyond the hype, building the future
In the first episode of a three-part video podcast series sponsored by HCLTech, Sudip Lahiri, Executive Vice President & Head of Financial Services for Europe & UKI at HCLTech explores how financial institutions can navigate the transformative potential of Generative AI while building lasting foundations for innovation.

Beyond compliance: Building unshakeable operational resilience in financial services
In today's rapidly evolving financial landscape, operational resilience has become a critical focus for institutions worldwide. As regulatory requirements grow more complex and cyber threats, particularly ransomware, become increasingly sophisticated, financial services providers must adapt and strengthen their defences. The intersection of compliance, technology, and security presents both challenges and opportunities.

© 2019 Perspective Publishing     Privacy & Cookies