NatWest cybercrime vulnerability highlighted

An email security specialist organisation has identified a simple yet important flaw in online banking systems which could be exposing unknowing customers to cyber-orientated threats. Graeme Batsman, director at Atbash, has spotted a vulnerability in the system used by NatWest, highlighting a susceptibility to phishing emails and malware.

The flaw identified in the bank's current email security set up has been found to decrease the possibility of phishing emails being identified and filtered out safely. Batsman comments: "Being a security techy, I spent time pulling software, spoofed emails or viruses apart to see exactly how they work and where the possible flaws can be seen. During early July I was handed a sample of an email from NatWest which slipped past the security system. After inspecting the problem and testing the vulnerability I identified that the problem was a missing SPF record."

He adds: "To put it simply NatWest's email servers are based within the United Kingdom, so if someone was sending an email from New Zealand pretending to be NatWest, it should get blocked. When an email is sent there is a simple check done in the background to see where the email should come from (in this case UK) and where is actually comes from (in this case New Zealand), If the two do not tie up then email servers will determine the email to be fake and it will be blocked."

Batsman says that, unlike other cyber threats facing large corporations with an obligation to protect customer data, this particular vulnerability in the NatWest system would have cost nothing to address. By integrating an SPF record on the system, the bank would have increased the chance of email spam filters detecting that the email is a fake and as a result offering better protection for their customers.

Whilst NatWest.com does have SPF records set up, the critical domain nwolb.com which is used for online banking login does not. Rivals such as Metro Bank, Barclays, Santander and Lloyds already have SPF records setup for their domains which relate to online banking login paths.

    Share Story:

Recent Stories


New Business Frontiers
FStech’s Mark Evans discusses the future of financial services with Liu Jianning of Huawei, covering the limitations that current thinking can impose, how financial institutions can embrace technology to be both agile and resilient, and making space for the organisation to focus on the job of creating innovative business models and on delivering business value for their customers.

The Future of Intelligent Finance
FStech Group Editor Mark Evans sits down with Jason Cao, President of Global Financial Services Business Unit, Enterprise BG at Huawei ahead of its Intelligent Finance Summit which was held on 3rd and 4th of June in Shanghai. This Q&A delves into key trends in digital transformation of the financial services industry as well as a look at how data, robotic infrastructure, intelligent storage and innovative technologies are shaping the future for FSIs.

Cracking down on fraud
In this webinar a panel of expert speakers explored the ways in which high-volume PSPs and FinTechs are preventing fraud while providing a seamless customer experience.