When we think of a bank, we might imagine a large stone building with high pillars, thick walls, and an underground vault secured with a giant metal door and a set of laser beams connected to an alarm system. From their origins as the guardians of gold, banks have had security as part of their foundations – both literally and metaphorically – for centuries.
But in the age of the internet, security is not about being large and immovable, it’s about being nimble and fast-moving to stay up-to-date with the latest tools, practices, hacks and defences. Therefore, I wanted to take a look at how the major UK banks are doing in this fast-moving game and what is just around the corner.
As the original pioneers of security, and holders of all our money, we expect banks to lead the way in digital defences. However, in recent times they’ve not only lagged behind, in some cases have actually argued in defence of their outdated practices.
Most of us know that for a website to be secure, the address needs to start with HTTPS rather than HTTP, as indicated by the green padlock. But a common myth is the belief that this only matters when you do something sensitive, such as submit your password or view a page showing your private account information. In fact, the secure connection does more than just keep our data secure; it also ensures the information passed back and forth between the website and our browser can’t be tampered with.
This is important, because although the home page of a bank’s website might seem quite mundane, serving that page insecurely means someone can potentially tamper with it to replace the link to the login page with a link to a bogus login page which looks genuine but actually just steals your password from you. An attacker could also modify the home page to change the phone number to the number of their own imitation “call centre” or play other tricks on the customers.
But despite this fact – which should be common knowledge among anyone employed in the tech department of a bank – many UK banks had to be publicly shamed before they put their home pages on a secure connection. Even before that happened I contacted several UK banks about this topic back in 2015. Those that responded tried to defend their position, and I was met with the responses, “thanks for your concerns. This [HTTPS] is already available on the part of our website where members need to enter their personal details.” And, “all of the secure parts of our website use HTTPS”. Statements which were technically true but, rather missed the point.
It wasn’t until a security expert at Microsoft prompted the BBC to get involved in December that we got the full fleet of major UK banks to step into line on this painfully basic security measure.
Present and correct?
So, letting the past go, how do things look now? Well, as the Internet has evolved, so have the standard security practices. At Potato we have a checklist of these for when we launch a site, so let’s take a look at how Barclays, Co-op, HSBC, Lloyds, Nationwide, NatWest and TSB are currently getting on with their web security.
Firstly, HSBC’s global website, www.hsbc.com, is still not on HTTPS. There’s a small possibility that this is to allow access to it from China, which sometimes blocks secure connections. But given that they’ve got a separate website for China (hsbc.com.cn), it seems unlikely.
Pleased to (securely) meet you
When you type a domain name into your web browser, your browser will usually try to connect via plain old (insecure) HTTP first. The website then has to respond telling your browser to switch to a secure connection. This creates the problem that this initial response from the website can still be interfered with. But as usual, there’s a solution.
A piece of Internet innovation allows websites to declare to the world that they only accept secure connections. This means that no matter what the user types or what link they follow to get to the site, the browser knows that this website means business, and goes straight to a secure connection. In addition, both Firefox and Chrome maintain a list of sites which want to enforce this, so that users are protected even if their browser is visiting the site for the first time. Sites can subscribe themselves for free by just filling in this form.
This has been supported by Chrome since January 2010, and by Firefox since November 2012. Five years later, how many of our banks are fully on board?
In their defence, both Lloyds and NatWest use this security declaration on the online banking sections of their sites, but on their main websites it’s not used. And as I mentioned earlier, leaving security until the login stage isn’t really sufficient.
Barclays and TSB do best on this measure, with their whole sites making the security declaration. But they haven’t submitted their sites to Chrome and Firefox’s list, so when users make their first visit they won’t be protected.
The Co-op, HSBC, and Nationwide seem yet to catch on at all.
Are any of the banks implementing any modern security tricks that deserve a mention? Nationwide are moving slightly ahead of the pack with their use of a Content Security Policy. This is where the site declares a list of trusted sources where images, scripts and other resources in the page are allowed to be loaded from, so in the event of an attacker managing to inject something malicious into the page it acts as a fall-back mechanism to try to catch the rogue item. However, even though Nationwide have got this set up, their declared policy is so lax that it actually offers very little protection against most attacks.
One other interesting finding is that the NatWest website appears to be running on Microsoft Windows Server 2003 (IIS 6.0), which officially ceased to be supported by Microsoft in July 2015. And last year a severe security vulnerability was found in it. We can only hope that either they’re paying Microsoft to provide them with continued security patches, or that they’re not really using this software at all and that the server is incorrectly identifying itself to play a fun trick on would-be hackers.
Are you sure you want to Log Out?
There are many aspects of an online banking system which unconditionally need to work correctly, and one of them is the “Log Out” button. While all of the sites I have looked at allow you to log out, some of them have slightly strange ways of doing it. You would think, and hope, that once you’ve hit the “Log Out” button, you’re done. But on the Co-op and Nationwide sites, clicking the button actually gives you a confirmation dialogue, which then requires a further click before you’re actually logged out. My Internet banking is one site where I definitely don’t want to remain logged in by accident. And yet this confirmation step seems to be a trend which is only common among online banking sites. Try logging out of your Google or Facebook account, it’s instant.
Until very recently, Lloyds were taking this one step further. When you clicked “Log Out”, you were taken to a new page, which looked like you were logged out, with the most prominent thing on the page was a big advert for a credit card. But actually, for the next 30 seconds you could still use the menu at the top of the page to get back in again. There was a little countdown displayed during the 30 seconds, with a “Continue” button. But that button didn’t let you continue, it was the button to actually log out. Fortunately, this design has now been changed. This example demonstrates that security isn’t always about the technical details, sometimes it’s the interface which is the flaw.
With more and more users performing more of their daily tasks from their phone, security can’t be mentioned without looking at banks’ mobile apps. And here, I was pleasantly surprised. It seems that being able to create a new application, slightly separated from their existing systems has allowed the banks to embrace more modern technologies and best practices.
A quick analysis of the mobile apps reveals that under the hood they’re all, without exception, communicating back to the bank over a secure connection. The only one letting the team down slightly here is HSBC, which is sending what looks like a piece of tracking data insecurely. But overall, things are looking good.
Several of the mobile apps also integrate with Android’s fingerprint scanner, or TouchID and FaceID on iPhone, allowing the user to add an extra layer of biometric security, even the ones that don’t have this integration use an additional passcode to lock the app.
But to see the real benchmark for mobile banking apps, we really need to take a look at the newest player on the scene, Monzo.
Founded in 2015, Monzo is the latest entrant to the UK banking scene, and they’ve been making a name for themselves ever since they landed. Firstly, they don’t provide web-based online banking, it’s mobile only, which is partly why they’ve been left out of our discussion so far. But what really sets them apart is not how well they do in the checklist of basic security measures, it’s the new ideas that they’ve brought to the table.
>See also: Could open banking provide a boost to the UK
Until I signed up to Monzo, I always assumed a credit or debit card transaction had to go through some complex system of checks and balances (probably being printed onto parchment, literally rubber stamped, posted second class to my bank and then listed on my statement). Then I got my Monzo card and discovered they could tell me about the transaction in less than four seconds, including its location and whether or not it was declined. This seems like a smart gimmick at first, but actually, it can improve security in several ways. The first is that when a cashier or waiter appears to take your payment and then declares that it didn’t work, and they need to try again, you know instantly if that’s actually true.
Other features that help security include a map with each transaction showing you where it took place, and the ability to block contactless transactions if the card is a suspiciously long distance from the location of your phone. It also lets you freeze (and unfreeze) your card at the touch of a button, so when you’re not sure whether you left your card in the pub or whether it’s down the back of the sofa, you can just freeze it temporarily. Whereas most banks only give you the option to cancel it and wait three days for a new one to turn up, meaning most people actually spend several days looking for it before they report it as missing. These convenient features aren’t just appealing to customers, they actually help Monzo to protect itself against the costs of fraud.
But that’s just the beginning. When you sign up for a Monzo account, you identify yourself by scanning your passport or driving licence and then taking a selfie video in which, you say the words on the screen in order to prove that it’s you. Exactly what mechanism they’re using behind the scenes to verify the video is unclear, but what’s definitely clear is it’s helping Monzo to cut out a significant piece of expenditure: physical branches. Monzo may be spending money on machine learning and cutting-edge technology, but by being able to identify people from a selfie video, they avoid the need for expensive high street properties, or having to post your last three months of gas bills back to you as part of the verification process.
The large stone buildings which once gave banks their security, are now the very things holding them back.
Breaking it open
If that isn’t enough to scare the existing banks into upping their game, then there’s something else which should, Opening Banking, kick-started by the EU directive we all know: PSD2. This new law means that banks must allow third parties to be able to hook into their banking systems to provide bolt-on products and services. We’ve probably all used a website or app which hooks into our Facebook account, where we’re asked to it grant permission to view our Facebook profile, see our list of friends and likes, or post to our timeline. The same concept is coming to banking, but we’ll be able to grant access for third party applications to view our account balance, see our transaction history, or initiate payments on our behalf.
That might sound slightly terrifying at first but imagine having an app that looks at your current account and intelligently moves an appropriate amount of money over to your ISA each month based on your balance, or an app that doesn’t just give you low balance alerts but knows when your rent payment goes out and factors that into a projected balance trajectory that tells you when you’re overspending before your balance becomes low.
>See also: What makes a great digital bank?
And to make it even easier for the newcomers, the Open Banking specification will standardise the mechanics of how the third-party apps are integrated. So, a new app only has to be built once, and it can integrate with all the major UK bank accounts.
Making banking secure
Banks are now facing a double threat: the ever-changing challenge of keeping digital systems secure, and the incoming competition of new innovative retail banking apps. If they want to maintain their customers’ trust then they must keep their systems secure, but if they want to maintain their customers’ loyalty then they must rapidly evolve their systems to be new, innovative and compelling. Doing these things together isn’t as contradictory as it might seem, but they will only achieve it if they take the right approach to their development process, from concept to maintenance.
The bank heist is coming, and the incumbents need to move fast if they don’t want the invaders to walk away with the money.
Sourced by Adam Alton, Senior Developer, Potato