NTA Monitor

Latest News

Skype not a 'quick-fix' VoIP solution for business

2nd February 2009 The significant increase in the use of VoIP, particularly for organisations and businesses with regional or international networks, reflects the undoubted business benefits it brings. However.. Read More

Beware the Cyber Shoplifters warns NTA Monitor

1st December 2008 As the recession starts to bite, the threat from 'cyber shoplifting' will increase for online retailers. Read More

Who's listening in on your corporate network?

20th October 2008 VoIP systems putting companies at risk says NTA Monitor Read More

Finance industry faces serious IT security issues

23rd June 2008 The finance industry needs to keep its eye on the small change as well as the bigger picture of its security vulnerabilities Read More
Date: 30th November 2003
Risk: Informational

Users of NatWest online banking services were targeted on Friday (24th October 2003) by an email scam attempting to capture bank details in order to remove money from user accounts. The scam was delivered through fraudulent emails to a list of users requesting them to click a link, verify their banking details on a replicated site. The link transferred users to a page that appeared to be the NatWest banking site and asked users to provide the security information they use to log on. A similar incident with eBay last year demonstrates that all online transactional sites are at risk.

NTA Warns online banking sites to Educate users against Fraud and Test their Security following Smile and Barclays Scams 8 October 2003

Following the recent scams on Smile and Barclays online banking sites, NTA is warning eCommerce sites to test their security and educate users against fraud.

Kevin Foster, Strategy Manager, NTA Monitor, comments, "Although the scam emails would appear suspicious to the security conscious user, a vast number would think it genuine. Victims of fraud are usually embarrassed about being duped, and keep quiet, so we're unlikely to know the true extent of these attacks. We are encouraged to see that some banks have made warnings available on their web sites, however we're surprised that despite these attacks, a number of UK banks are still not taking direct preventative action to advise customers of the risks these scams pose.

"The question is - will other eCommerce sites [not yet hit targeted by this scam] take the opportunity to give good advice to their customers before it's too late? Especially given that security concerns are a huge barrier to user uptake, responsible eCommerce sites should be taking more care to protect Internet users - both to protect their customers' sensitive records, and reduce the numbers duped by these kinds of scams."

It's really just a question of taking some sensible steps:

  1. Firstly, all eCommerce web sites should educate their users about Internet security and online fraud. Banks' advice to their users after the event never to give out credit card details really was a case of locking the door after the horse has bolted! Direct preventative action needs to be taken by all eCommerce sites to advise new users. We would advise that a general warning on Internet safety precautions should be included as a matter of course on all web sites. Education should be done during registration at minimum, but also permanently linked on the homepage, thus enabling users to make informed decisions.
  2. Regular domain name searching and verification will pick-up similar /registered domains, allowing the site to investigate suspicious registrations and take pro-active action before users are duped by fraudulent websites.
  3. Engage regular eCommerce application security testing to pro-actively pick-up potential (user) information disclosure vulnerabilities, enabling the site to remove holes before they're exploited. In our experience few sites test their eCommerce presence regularly, leaving the majority susceptible to these kinds of attack.
"Above all, pro-active action should be taken 'regularly'. I'd draw a comparison with how we look after our cars. We know that if we service our car regularly, we reduce the risk of having unexpected and costly problems. Imagine how many people are going to be freezing in the cold this winter when a planned service could have prevented it. Similarly, planned regular security testing will help eCommerce sites nip problems in the bud - and not leave their customers out in the cold!"

ADVICE TO USERS:

About the Smile and Barclays scams

Users of Smile and Barclays have recently been subjected to an email scam attempting to capture bank details and remove money from user accounts. The scam was delivered through fraudulent emails to a list of users requesting them to click a link, and enter credit card and password information into replicated sites. The emails claimed that the banks had made a technical update and recommended reactivating the user accounts by clicking on a link. The link transferred users to a page that appears to be the login page of their Internet bank and asked users to provide the security information they use to logon.