Cahoot taking steps to fill security gaps

Online banking security survey shows serious failures

Online bank Cahoot says it is doing what it can to fix a security hole identified by testing carried out by security company Heise last month.

Four out of seven online banks have failed to secure their sites after being alerted to serious security issues over a month ago by testers.

Heise's original demonstration worked by inserting a fake page into the online banking site leaving the user almost no chance to detect the spoofing.

‘We are working to put a permanent fix in place and it is a very small and at this point theoretical risk,’ said a Cahoot spokeswoman.

‘We have been working on eliminating any potential risk from spoof framing and will have a permanent fix in place shortly,’ she said.

‘In addition to the steps we're taking, customers can help protect themselves as almost all browsers now have settings they can select to prevent this potential problem.'

Of the six banks found to be vulnerable to frame spoofing only two have since implemented protective measurements leaving four vulnerable to phishing attacks.

Tests for Cahoot, the Bank of Scotland and First Direct web sites show that no action has been taken to tighten up procedures.

NatWest bank has taken steps by removing the names of the frames although this does not remove the threat because frames can still be addressed in other ways.

The Bank of Ireland has fixed its site and has included script code that detects spoofed frames and redirects to an error page. The Link has also corrected its site by no longer using frames - the one infallible way of avoiding an attack using frame spoofing.

What do you think? Email [email protected]