NatWest cybercrime vulnerability highlighted
Written by Scott Thompson
An email security specialist organisation has identified a simple yet important flaw in online banking systems which could be exposing unknowing customers to cyber-orientated threats. Graeme Batsman, director at Atbash, has spotted a vulnerability in the system used by NatWest, highlighting a susceptibility to phishing emails and malware.
The flaw identified in the bank's current email security set up has been found to decrease the possibility of phishing emails being identified and filtered out safely. Batsman comments: "Being a security techy, I spent time pulling software, spoofed emails or viruses apart to see exactly how they work and where the possible flaws can be seen. During early July I was handed a sample of an email from NatWest which slipped past the security system. After inspecting the problem and testing the vulnerability I identified that the problem was a missing SPF record."
He adds: "To put it simply NatWest's email servers are based within the United Kingdom, so if someone was sending an email from New Zealand pretending to be NatWest, it should get blocked. When an email is sent there is a simple check done in the background to see where the email should come from (in this case UK) and where is actually comes from (in this case New Zealand), If the two do not tie up then email servers will determine the email to be fake and it will be blocked."
Batsman says that, unlike other cyber threats facing large corporations with an obligation to protect customer data, this particular vulnerability in the NatWest system would have cost nothing to address. By integrating an SPF record on the system, the bank would have increased the chance of email spam filters detecting that the email is a fake and as a result offering better protection for their customers.
Whilst NatWest.com does have SPF records set up, the critical domain nwolb.com which is used for online banking login does not. Rivals such as Metro Bank, Barclays, Santander and Lloyds already have SPF records setup for their domains which relate to online banking login paths.