NatWest bank has said it will update its main customer-facing websites with HTTPS encryption after initially rebuffing a researcher’s concerns about the security of such sites.
Troy Hunt told NatWest bank that even though the main website contained only general information, it still required updating as it contained links to sensitive pages.
A brief spat took place on Twitter between security researcher Troy Hunt and NatWest bank after Hunt contacted the bank to highlight the lack of security in their customer-facing websites. While NatWest initially played down Hunt’s concerns, it agreed to update its websites after he published a blog to voice his concerns.
Over the last few years, security researchers and cyber experts have been crying hoarse about how easily hackers can breach decade-old security measures in HTTP-secured websites to steal confidential data and to add malicious links that install malware.
Of late, the likes of Microsoft and Google have started taking measures to ensure the migration of all websites to HTTPS encryption. To protect website visitors from malicious content, Google Chrome is now marking non-HTTPS sites ‘Not Secure’ as soon as users start typing on such sites.
Google is aiming to eventually mark all non-HTTPS pages as ‘Not Secure’ in red which will be more noticeable by visitors compared to the small ‘i’ logo which appears on the address line at present.
Therefore, it sounds strange when one of the UK’s leading banks chooses to protect its customer-facing website with HTTP encryption and even defends the decision. The bank initially claimed that since the customer-facing website contained only general information, it didn’t need HTTPS protection. It also failed to appreciate that the website also featured links to login pages, and since the main page wasn’t secure, none of the links on it could be trusted.
‘Hi there Troy, the website contains general information, rest assured when you are logging in that the website is secure. Please feel free to DM me if you have anymore queries around this,’ said a NetWest representative to Hunt on Twitter.
‘You’re missing the point: when people want to logon they go to your homepage. The homepage is insecure so you can’t trust anything on it. The link to the login page is on it. You can’t trust the link to the login page. Make sense?,’ replied Hunt.
‘I’m sorry you feel this way. I can certainly pass on your concerns and feed this back to the tech team for you Troy? ,’ snapped back the rep, spurring Hunt to write a blog titled ‘I’m Sorry You Feel This Way NatWest, but HTTPS on Your Landing Page Is Important’.
‘We’re on a march towards HTTPS everywhere. Almost 70% of web traffic today is encrypted and organisations not getting with the program are being increasingly penalised for lagging behind. A bank – of all sites – should be getting this right or at the very least, taking the discussion offline and deferring to their tech folks,’ he wrote.
After Hunt published the blog post, NatWest bank told the BBC that it will upgrade the security of its non-HTTPS websites in the next 48 hours.
‘We take the security of our services extremely seriously. While we do not currently enforce HTTPS on some of our websites, we are working towards upgrading this in the next 48 hours. Our online banking channel is secured with HTTPS,’ said a NatWest representative.