A week or two ago, I went to log into my Nat West online banking as usual, and on the first attempt I was taken to a page which looks like this:
Now, there's already quite a lot of fail on the above page. I bank with the National Westminster Bank Plc. They brand themselves as NatWest.
They have a duty of care to their customers, to follow best security practices and try to avoid the kind of confusion that would lead to phishing fraud and other similar problems.
Obviously we don't want to actively train customers to succumb to fraud by entering their details into dodgy web sites. So banks should operate their genuine online banking under domains which are obviously theirs, such as natwest.co.uk.
But no, NatWest bizarrely use www.nwolb.com for their online banking. Sure, I'm capable of using whois and confirming that they really do own that domain, but how many other people are? Joe Public now just expects that a genuine online banking site might appear anywhere on the Internet, not just under the bank's real domain name.
But OK, at least it's a secure web site so we can know it's them, right? Oh, except the SSL certificate in that nice green bit in the URL bar of my browser still doesn't say NatWest. It says 'Royal Bank of Scotland Group'. So that's another failure. Again, I know that RBOS own NatWest these days, but that's not the point. We really need online banking to be idiot-proof, and we know that the universe just keeps inventing a better class of idiot. And here's NatWest, actively helping to train those new idiots, and now they don't even expect that the nice green security thingy in their browser will show a name which relates in any way to the name they know as "their" bank's name.
OK, let's take a look at the next page too. But first, remember all the times that various banking organisations have told you they'll never ask for your full details again, or for your PIN numbers...
So now we have left the techicalities behind us and entered the realm of spectacularly bad practice. Remember, I am already registered for online banking, I've been given no prior warning that it was going to stop working and require any form of re-registration, and now I'm being asked to enter my FULL CREDIT AND DEBIT CARD NUMBERS!
Words fail me. I'll just copy some from up there...
If I was a fraudster, I'd be rejoicing at this. Again here we have a major bank actively training their customers to do utterly stupid things.
I firmly believe that if a naïve customer encounters this idiocy from NatWest, and subsequently succumbs to phishing fraud and enters their full details on some random web site somewhere, NatWest should be held liable for aiding and abetting that fraud.
I'm not a lawyer, obviously, and there is plenty of scope for debate about precisely what level of joint enterprise is required and whether NatWest could be prosecuted when they have not directly conspired with one specific fraudster, but merely trained their customers to succumb to all types of fraud. And I'm sure the CPS would never actually bring such a case. But I think all reasonable people can agree that this level of incompetence and negligence is entirely unacceptable.
Of course, it doesn't stop there. NatWest are also guilty of sending out email which isn't signed. Security of email was standardised in the mid-1990s, and it's fairly simple for them to sign all their outbound email with S/MIME which gives the same level of authenticity as secure web sites — signing only, so it's clear text and can still be read in any mail program. But no, they choose not to do that, thus again training their customers to expect unsigned email and thus to succumb to phishing fraud. Again...
In the interest of fairness, I should point out that although it's NatWest who triggered this rant and who are mentioned in all the examples above, the banks are mostly as bad as each other. For example last week I got unsigned email from Citibank telling me that a new statement was available online, with a direct link to what was allegedly their online banking site. Which is again an example (well, two examples in close proximity) of shockingly bad practice.
At least NatWest's similar emails, although they are negligently unsigned, do get the other part right and just say "log in to NatWest Credit Card Online Services", without training me to click on random links I find in emails. They force me to use my bookmarks, which is the first and possibly the only good thing I have to say about NatWest today :)