NatWest lacks basic phishing protection, says security firm Atbash

London-based security firm Atbash has identified a flaw in NatWest’s online banking system which could be exposing customers to cyber threats

London-based security firm Atbash has identified a flaw in NatWest’s online banking system which could be exposing unwitting customers to cyber threats.

The flaw – in the bank’s current email security system – makes it less likely that phishing emails will be identified and filtered out.

Graeme Batsman, director of IT and email security firm Atbash, said: “I was handed a sample of an email from NatWest which slipped past the security system.” 

The sample was a phishing email that appeared to come from NatWest, yet the sender domain showed that it was sent from New Zealand. 

It informed the recipient that access to their account had been blocked “due to possible errors detected”. The message directed the recipient to click on a link to “restore online access” and review online accounts. The link actually redirected the user to a phishing website.

“After inspecting the problem and testing the vulnerability, I identified that the problem was a missing SPF record,” Batsman said.

SPF records are used as part of the Sender Policy Framework, an anti-spam approach in which the internet domain of an email sender can be authenticated for that sender.

Read more on phishing

The measure is directed against spam mailers, who routinely disguise the origin of their email, a practice known as email spoofing.

SPF and other anti-spoofing initiatives, such as DomainKeys, work by making it easier for a mail server to determine when a message came from a domain other than the one claimed.

“To put it simply, NatWest’s email servers are based within the UK, so if someone was sending an email from New Zealand pretending to be NatWest, it should get blocked,” explained Batsman.

When an email is sent using SPF, there is a simple check done in the background to see where the email should come from (in this case UK) and where is actually comes from (in this case New Zealand).

“If the two do not tie up, then email servers will determine the email to be fake and it will be blocked,” he said.

Batsman added that SPF is an open source method of identifying and capturing dangerous and compromised emails that costs nothing to implement and takes just 30 minutes to set up.

By integrating an SPF record on the system, NatWest would have increased the chance of email spam filters detecting that the email is a fake, offering better protection to customers, he said.

SPF records have been set up for the domain, but the critical domain which is used for online banking login does not, said Batsman.

“This leads to cyber criminals being particularly attracted to the domain, which is a major concern to NatWest online banking customers,” he said.

Batsman said other major banks such as Metro, Barclays, Santander and Lloyds already have SPF records set up for their domains which relate to online banking login paths.

Computer Weekly contacted NatWest to find out why SPF has not been implemented across all its domains, but received only a generic response.

A NatWest spokesperson said: “We take our customers’ security very seriously and we’re always looking at additional ways to protect them.  

“We will never ask customers to disclose security details or personal information. We urge our customers not to click on any links and attachments within suspicious emails and to report a suspicious email to us.

“Customers can contact us by emailing  [email protected] or [email protected].”

Read more on Hackers and cybercrime prevention