Banking web site insecurities

GraceCourt

Forum readers will have seen the breaking story this evening about the u-turn by NatWest over the issue of insecure (HTTP) links on its on-line banking web site, and in view of this it's worth pointing out a similar - but worse - issue relating to Santander.

When a Santander customer has passed the usual security checks and is logged-in to their on-line banking account, on most pages they will see a vertical list on the right-hand menu offering links for making an application for a variety of financial products - new current account, new savings account, new loan application, etc., etc.

But not only are these HTTP links, they don't even link to Santander's own domain - they all lead directly to doubleclick.net, which is an information aggregator owned by Google! The official answer from Santander, cleared for publication by their Press office, is as follows:

Doubleclick click trackers are used within our Online Banking ‘Apply Now’ menu to measure the number of clicks each of the products generates so that we understand the popularity of those offers and to enable the destination of those links to be amended if required without an IT release to the Online Banking platform.

The use of click trackers in this fashion does not generate data into the Google Doubleclick ecosystem that would allow another company to target a consumer with advertising on the basis of knowing they had been to a Santander website. Nor does it allow Google to collect any personal, non-anonymised information about any Santander customer who clicks on any of the links.

Needless to say, I decided against opening a new savings account with them and invested our money with Tesco Bank instead. NatWest has folded to the pressure from security experts about this sort of sloppy behaviour but it seems Santander can't be bothered to take every care with their on-line security. We shall see if they, too, can withstand the heat of publicity once this becomes more widely known and understood.

IAmWales

Their explanation is adequate for me.

I doubt the heat of publicity is going to have much effect on their profits.

pmduk

Your poll doesn't have an option for "I can't be bothered about posts with polls."

pogofish

Linkage issues are surely a matter for the techie forums..?

AndyPix

Im with IamWales ..


This doesnt concern me at-all..


Can you explain exactly what your problem is with this ?
It seems you are not understanding how this all works and are just screaming "noooo https - aaarrgghh"


No personal info is being passed to those links (they are just external links for all intents and purposes) so what exactly is your issue ?


Your title is misleading - once you are applying for an account then it is covered by SSL of course, but why would you want/need the link to the splash page to be SSL ?? :huh:

GraceCourt

AndyPix wrote: »

Im with IamWales ..

This doesnt concern me at-all..

Can you explain exactly what your problem is with this ?
It seems you are not understanding how this all works and are just screaming "noooo https - aaarrgghh"

No personal info is being passed to those links (they are just external links for all intents and purposes) so what exactly is your issue ?

Your title is misleading - once you are applying for an account then it is covered by SSL of course, but why would you want/need the link to the splash page to be SSL ?? :huh:

You haven't actually read the NatWest story to which I referred in the first line, have you? :doh:

AndyPix

I don need to.
I have a Santander account, am aware they the external links on the ribbon are plain http and I know all about ssl certificates and the implementation of MITM attacks that are possible over plain http ( I am a penetration tester and IT consultant ).

Once again, this doesn’t concern me it the slightest as I actually understand it.

It seem you don't


Just to clarify for you , HTTPS is needed to prevent anybody snooping on your traffic between you and the destination.
The ssl layer encrypts this traffic so that if anyone snoops it then it is just gibberish.


When you are clicking on these links in the side bar, you are effectively leaving the Santander site and landing on the destination page as if you have landed from google or anywhere else.


NO information is being sent in the traffic *very important point


So there is absolutely no need for it to be encrypted - atall


when you are moving between pages on your actual account, info is being sent
ie session cookies, and other stuff that is sensitive


So this does need to be encrypted otherwise me as an attacker could hijack this cookie and effectively log on to your account as you (its a bit more involved but that is the basics).


It totally makes sense that Santander would have these links dynamic and separate from the "actual" website .. because otherwise they would need to go through a whole big involved IT change management process just to change them (to ensure they acted appropriately and didn't leak information etc etc)


I hope that explains it a bit for you

TheSaint_2

The google gestapo would have the whole internet go TLS, that would give the intelligence agencies a headache, while google and others such as facebook continue to exploit our personal information.

why are we so worried about intelligence agencies that seek to protect their public while we actively embrace and give all our data to the biggest self serving agencies of google and the rest?

agrinnall

TheSaint wrote: »

why are we so worried about intelligence agencies that seek to protect their public...

That's a very rose tinted view of what the intelligence agencies are actually doing.

Blackbeard_of_Perranporth

In 1999 using ie5, it stored my password for LloydsTSB! Should I be scared? Yet most give goooogle carte Blanche to follow your every move!

OldWilliam

AndyPix wrote: »

I don need to.
I have a Santander account, am aware they the external links on the ribbon are plain http and I know all about ssl certificates and the implementation of MITM attacks that are possible over plain http ( I am a penetration tester and IT consultant ).

I'll see your qualifications, and raise them with an Honours degree in pure Computer Science and a certificate from the (now defunct) National Specialist Law Enforcement Centre at Wyboston Lakes during a two-year secondment to a central government organisation.

If you had not been so foolish as to enter into debate on a public forum without actually reading about the issue in question - despite having been given a fairly hard "nudge" that you ought to - you would now understand that the issue is not your knowledge, nor mine, but the (lack of) knowledge of the "average" (whatever that means) Internet user and what can, and should, be done by those who do understand security to minimise the risks for everyone using engineering so as not to rely on the knowledge of users. I won't set out here the details of what NatWest have decided to do, after initially refusing, because you appear to be a big grown up Internet user who does actually know how to use a browser - notwithstanding the fact that your personality defect drives you to leap into action without bothering to research what the relevant issues are.

AndyPix wrote: »

When you are clicking on these links in the side bar, you are effectively leaving the Santander site and landing on the destination page as if you have landed from google or anywhere else.

Yes. And if the destination page redirects you back to a Santander page, whether that landing page is secured or not, most users won't even know that they have even been redirected. I won't explain why that is directly relevant to information security because, from your posts, you are presently undertaking penetration testing without any appreciation whatsoever of the fundamentals of information security, or of the standards that a respectable financial services provider ought to observe, whether or not their practices are "outed" in the public domain.

At least NatWest understood at a very late stage the consequences of trying to defend its position when being publicly criticised, and did a U-turn. But then, you don't need to read about why they did so, do you? :rotfl:

[Hint: not all Internet users have degrees in Information Security]