NatWest has been left red-faced after initially appearing to brush off a noted security researcher who spotted its homepage was not HTTPS-encrypted.
The UK bank, owned by RBS, replied to a Twitter post by Troy Hunt: “I’m sorry you feel this way. I can certainly pass on your concerns and feed this back to the tech team for you Troy?”
Hunt explained in a blog post that even though the lender’s homepage didn’t actually contain anything sensitive like an account log-in box, it could still be hijacked by hackers to redirect unsuspecting customers to a similar looking phishing site.
“It's served over HTTP so it's not an encrypted connection and can therefore be intercepted, the traffic read, modified or requests redirect to other locations,” he wrote.
“We're seeing ‘Not secure’ next to the address bar because I've typed something into the search box. This change began rolling out in Chrome in October and I would opine that ‘Not secure’ is not what you want to see on your bank.”
Hunt continued that hackers could easily modify the HTML to a similar looking but different domain — for example, from nwolb [dot] com to nuolb [dot] com.
To add insult to injury, the bank then registered the nuolb domain following the interaction — missing the point completely that the homepage was still unprotected.
In fact, it issued this tweet:
“Hi there Troy, the website contains general information, rest assured when you are logging in that the website is secure. Please feel free to DM me if you have anymore queries around this.”
Fortunately, however, NatWest finally saw sense and the homepage for its personal banking customers is now protected with HTTPS.
Despite the tortuous process, Hunt praised the lender for its relatively quick response.
As of December, 67% of pages loaded by Firefox were HTTPS enabled, thanks to public initiatives such as Let’s Encrypt.