NatWest upgrading their main website to HTTPS

Options
RG2015
RG2015 Posts: 5,905 Forumite
First Anniversary Name Dropper First Post Photogenic
in Budgeting & bank accounts
The BBC website are reporting that NatWest are upgrading their main website to HTTPS.

It is good that they are reacting to concerns over this but I am not sure that it will stop dedicated spammers and fraudsters continuing to fool less savvy members of the public.

http://www.bbc.co.uk/news/technology-42353478

Comments

  • agrinnall
    agrinnall Posts: 23,344 Forumite
    First Post Combo Breaker
    Options
    I read that earlier and checked the provider of my own main account, Nationwide, to confirm that their website is HTTPS, which I was glad to find it is. I haven't yet looked at all the others where I have accounts, and even if I do find any that aren't secure I doubt if it will stop me using them, but it might be useful to know.
  • RG2015
    RG2015 Posts: 5,905 Forumite
    First Anniversary Name Dropper First Post Photogenic
    Options
    First Direct is not https but the whole FD online package is so cluncky I couldn't imagine anyone being able to clone it.
  • Vortigern
    Vortigern Posts: 3,243 Forumite
    First Anniversary Photogenic Name Dropper First Post
    Options
    RG2015 wrote: »
    First Direct is not https but the whole FD online package is so cluncky I couldn't imagine anyone being able to clone it.
    It is https as soon as you access the log in to Internet Banking screen.

    It does everything I need it to do, although with a redesign they could eliminate a few mouse clicks. Its detractors usually claim that it could be cloned by a 10-year-old.
  • 18cc
    18cc Posts: 2,120 Forumite
    Options
    Probably everyone knows this but.... HTTPS simply means the connection is secure (encrypted) it says nothing about the website being secure / the correct one etc etc it is possible to be HTTPS securely connected to a fake website.
  • cjmillsnun
    cjmillsnun Posts: 615 Forumite
    Options
    18cc wrote: »
    Probably everyone knows this but.... HTTPS simply means the connection is secure (encrypted) it says nothing about the website being secure / the correct one etc etc it is possible to be HTTPS securely connected to a fake website.

    It’s possible but unlikely as most big organisations will use EV SSL otherwise known as green bar.
    2.88 kWp System, SE Facing, 30 Degree Pitch, 12 x 240W Conergy Panels, Samil Solar River Inverter, Havant, Hampshire. Installed July 2012, acquired by me on purchase of house in August 2017
  • Fryy
    Fryy Posts: 55 Forumite
    edited 15 December 2017 at 5:15PM
    Options
    cjmillsnun wrote: »
    It’s possible but unlikely as most big organisations will use EV SSL otherwise known as green bar.
    Vortigern wrote: »
    It is https as soon as you access the log in to Internet Banking screen.

    It does everything I need it to do, although with a redesign they could eliminate a few mouse clicks. Its detractors usually claim that it could be cloned by a 10-year-old.
    RG2015 wrote: »
    First Direct is not https but the whole FD online package is so cluncky I couldn't imagine anyone being able to clone it.

    A lot of comments on this thread are wrong.

    The attack that sparked this news story and the subsequent action from NatWest was that most of the NatWest website did not have secure HTTPS, while the login page did. The point is that when you're on the insecure part of the NatWest website and click on the "login" button, your request to access the login portion of the website is unencrypted, so a malicious party could redirect your request to a website that looks identical to NatWest, which also have a "secure" connection to it, but it is not NatWest. It literally costs £0 to get a certificate to get HTTPS and thus the green bar.

    It is not difficult to make a login page identical to NatWest or First Direct and get a certificate for it to make the connection encrypted.

    I have to say, I find it really bizarre that some people comment about the security of NatWest or First Direct despite clearly not knowing what they're talking about. You shouldn't just give your 2 cents on the matter. This is the security of peoples money we are talking about. People should not take your advice and you should not give it out if you're not qualified to do so.

    This possible attack has been known since 2008 or something. Perhaps people thinking it's not an issue "because it's hard to get a EV certificate" or "hard to forge the website" is the reason that NatWest hasn't bothered to change it until now.
  • RG2015
    RG2015 Posts: 5,905 Forumite
    First Anniversary Name Dropper First Post Photogenic
    Options
    Fryy wrote: »
    I have to say, I find it really bizarre that some people comment about the security of NatWest or First Direct despite clearly not knowing what they're talking about. You shouldn't just give your 2 cents on the matter. This is the security of peoples money we are talking about. People should not take your advice and you should not give it out if you're not qualified to do so.
    There are numerous posts on the MSE forums that are given as opinions by unqualified people.

    The reader is fully able to choose whether or not to take the advice and whether to conduct their own research. If people didn't give their 2 cents worth the forum would be deprived of a large proportion of its content.

    And by the way, my post about FD having a cluncky un-clonable website was firmly tongue in cheek.
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 343.2K Banking & Borrowing
  • 250.1K Reduce Debt & Boost Income
  • 449.7K Spending & Discounts
  • 235.3K Work, Benefits & Business
  • 608.1K Mortgages, Homes & Bills
  • 173.1K Life & Family
  • 247.9K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.9K Discuss & Feedback
  • 15.1K Coronavirus Support Boards