Security Flaw Puts UK Bank Customers At Risk

Uploaded on 2019-03-30 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Financial

Royal Bank of Scotland (RBS) customers have been put at risk of cyber-attack after being recommended flawed security software. Since January, the banking group has begun to offer its business banking customers a product called Thor Foresight Enterprise free of charge.

Heimdal Security sells it as "next generation protection" against cyber-threats. Security researchers uncovered a flaw in it that made customers less secure. 

The bug has now been fixed with Heimdal Security estimating that about 50,000 people were using the vulnerable software. RBS said it had only affected NatWest customers as it was not yet being offered to its RBS and Ulster banks. The company would not disclose how many of its customers would have been at risk.

Fallen Short
Pen Test Partners discovered the security flaw which they say is extremely serious.Security Researcher Ken Munro told the BBC: "We were able to gain access to a victim's computer very easily. Attackers could have had complete control of that person's emails, internet history and bank details." 

"To do this we had to intercept the user's internet traffic but that is quite simple to do when you consider the unsecured public Wi-FI out there, and it's often all too easy to compromise home Wi-FI set ups.

"Heimdal Thor is security software that runs at a high level of privilege on a user's machine. It's essential that it is held to the highest possible standards. We feel they have fallen far short."

The security software acts as a filter and aims to spot and stop common cyber-attacks that try to steal data or lock it away in ransomware. Heimdal was quick to respond to the discovery and has now fixed the flaw and thanked the security researchers for disclosing the bug. In a statement, Heimdal's chief executive Morten Kjaersgaard said: "We naturally treat information like this very seriously. We issued a fix and automatically updated 97% of all affected endpoints within four days of being informed, and the rest shortly after."

The company said that the vulnerability was only "in the wild" for about three weeks and affected around 50,000 computers, 8% of the number of machines running the Thor software.

An RBS spokesperson said: "We were made aware of a potential software issue that could apply to a small number of our early-adopting customers."

The banking group praised Heimdal's speed in fixing the issue and went on to claim that "no customers suffered any adverse consequences".

BBC

You Might Also Read: 

Bank of England Testing Banks' Cyber Resilience:

 

 

« Company Directors Must Become Cyber Aware
Facebook Removes Suspicious Accounts For 'inauthentic behavior' »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

SK-CERT

SK-CERT

SK-CERT National Computer Computer Emergency Response Team of Slovakia.

French Expert Center Against Cybercrime (CECyF)

French Expert Center Against Cybercrime (CECyF)

CECyF is a centre of excellence for countering cybercrime in France.

Computing Technology Industry Association (CompTIA)

Computing Technology Industry Association (CompTIA)

CompTIA is dedicated to advancing industry growth through its educational programs, market research, networking events, professional certifications, and public policy advocacy.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

German Accelerator

German Accelerator

German Accelerator supports high-potential German startups in successfully entering the U.S. and Southeast Asian markets.

Unlimited Technology

Unlimited Technology

Unlimited Technology offers a wide range of talent and experience, from assessing your requirements to implementing technologically advanced security solutions to best fit your needs.

RocketCyber

RocketCyber

RocketCyber is a Managed SOC platform empowering Managed Service Providers (MSPs) to deliver security services to small and medium businesses.

DTS Systeme

DTS Systeme

DTS Systeme is an IT service provider with a focus on the core areas of datacenter, technologies and IT security.

Armo

Armo

Armo technology enhances any Kubernetes deployment with security, visibility, and control from the CI/CD pipeline through production.

StarLink

StarLink

StarLink is an acclaimed Value-Added Distributor across the Middle East, Turkey and Africa regions with on-the-ground presence in 20 countries including UK and USA.

Onwardly

Onwardly

For everyday folks tasked with implementing security and privacy. Do it faster with Onwardly - build, launch and scale your cyber resilience program in 30 minutes per week.

Vortacity Cyber

Vortacity Cyber

Vortacity is a boutique cybersecurity provider specializing in associations, nonprofits, and mission-based organizations.

DefectDojo

DefectDojo

DefectDojo is a DevSecOps and vulnerability management tool.

Trofi Security

Trofi Security

Trofi Security provides Information Technology and Information Security services to organizations in both the public and private sectors.

Blind Insight

Blind Insight

Field-level searchable encryption plus fine-grained programmable access controls. All wrapped neatly in developer-friendly APIs and SDKs. Data protection perfection.

Click Studios

Click Studios

Click Studios is an Agile software development company specialising in the development of a secure Enterprise Password Management solution called Passwordstate.