Security Flaw Puts UK Bank Customers At Risk

Royal Bank of Scotland (RBS) customers have been put at risk of cyber-attack after being recommended flawed security software. Since January, the banking group has begun to offer its business banking customers a product called Thor Foresight Enterprise free of charge.

Heimdal Security sells it as "next generation protection" against cyber-threats. Security researchers uncovered a flaw in it that made customers less secure. 

The bug has now been fixed with Heimdal Security estimating that about 50,000 people were using the vulnerable software. RBS said it had only affected NatWest customers as it was not yet being offered to its RBS and Ulster banks. The company would not disclose how many of its customers would have been at risk.

Fallen Short
Pen Test Partners discovered the security flaw which they say is extremely serious.Security Researcher Ken Munro told the BBC: "We were able to gain access to a victim's computer very easily. Attackers could have had complete control of that person's emails, internet history and bank details." 

"To do this we had to intercept the user's internet traffic but that is quite simple to do when you consider the unsecured public Wi-FI out there, and it's often all too easy to compromise home Wi-FI set ups.

"Heimdal Thor is security software that runs at a high level of privilege on a user's machine. It's essential that it is held to the highest possible standards. We feel they have fallen far short."

The security software acts as a filter and aims to spot and stop common cyber-attacks that try to steal data or lock it away in ransomware. Heimdal was quick to respond to the discovery and has now fixed the flaw and thanked the security researchers for disclosing the bug. In a statement, Heimdal's chief executive Morten Kjaersgaard said: "We naturally treat information like this very seriously. We issued a fix and automatically updated 97% of all affected endpoints within four days of being informed, and the rest shortly after."

The company said that the vulnerability was only "in the wild" for about three weeks and affected around 50,000 computers, 8% of the number of machines running the Thor software.

An RBS spokesperson said: "We were made aware of a potential software issue that could apply to a small number of our early-adopting customers."

The banking group praised Heimdal's speed in fixing the issue and went on to claim that "no customers suffered any adverse consequences".

BBC

You Might Also Read: 

Bank of England Testing Banks' Cyber Resilience:

 

 

« Company Directors Must Become Cyber Aware
Facebook Removes Suspicious Accounts For 'inauthentic behavior' »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: Harnessing the power of Security Information and Event Management (SIEM)

ON-DEMAND WEBINAR: Harnessing the power of Security Information and Event Management (SIEM)

Join our experts as they give the insights you need to power your Security Information and Event Management (SIEM).

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Endace

Endace

Endace is a leader in network visibility, network recording and packet capture solutions for security, network and application performance monitoring.

Mimecast

Mimecast

Mimecast delivers cloud-based email management for Microsoft Exchange and Microsoft Office 365 including archiving, continuity and security.

Citicus

Citicus

Citicus provides world-class security, risk and compliance management software, plus supporting services.

Japan Information Security Audit Association (JASA)

Japan Information Security Audit Association (JASA)

JASA is non-profit association active in developing and managing the quality of Information Security Auditing and Auditors in Japan.

KLC Consulting

KLC Consulting

KLC Consulting offers information assurance / Security, IT Audit, and Information Technology products and services to government and Fortune 1000 companies.

Exatel

Exatel

Exatel is Poland’s leading provider of ICT security services.

Vdoo

Vdoo

Vdoo provides an end-to-end product security platform for automating all software security tasks throughout the entire product lifecycle.

Absolute IT Asset Disposals

Absolute IT Asset Disposals

Absolute IT Asset Disposals is an IT asset disposal (ITAD) company providing safe and secure recycling of IT assets.

NSA Career Development Programs

NSA Career Development Programs

NSA offers entry-level programs to help employees enhance their skills, improve their understanding of a specific discipline and even cross-train into a new career field.

Quantum Security Solutions (QSec)

Quantum Security Solutions (QSec)

QSec is an innovative information security consultancy based in Ghana. We can provide your organisation with information security products and services that assure against information risk.

Binarly

Binarly

Binarly has developed an AI-powered platform to protect devices against emerging firmware threats.

Datastream Cyber Insurance

Datastream Cyber Insurance

DataStream Cyber Insurance is designed to give SMB’s across the US greater confidence in the face of increasing cyber attacks against the small and medium business community.

ShellBoxes

ShellBoxes

ShellBoxes are a leading Web3 company focused on providing top-notch blockchain security and development services.

Cybastion

Cybastion

Cybastion develops robust world-class cybersecurity solutions tailored to suit the needs of different businesses, governments and public sector entities.

Karate Labs

Karate Labs

Karate is an open-source unified test automation platform combining API testing, API performance testing, API mocks & UI testing.

Reach Security

Reach Security

Reach is the first generative AI platform purpose-built to empower enterprise security teams. With Reach, organizations measure, manage, and improve their enterprise security posture at scale.