Online Banking and the bad URLs that go with it

Published on 5 February 2009 in , , , ,

We’ve all seen them.

Dear HSBC customer!

Our Maintenance Department is carrying out a scheduled Online service upgrade. By clicking on the link below you will begin the procedure of the customer login verification.

All followed by a URL you’re supposed to click on. A fake URL of course. Some obviously so. Some not.

In the first half of 2008, there were (according to a BBC News article) 21,000 cases of fraud caused by such emails – a rise of more than 180%. A staggering amount.

Of course, the way to always make sure your not a victim is to always ensure you login via your bank’s homepage – never from a URL in an email. Many official bank emails go as far as not even including a URL to click on as a security measure.

Sometimes it’s easy to spot the URLs that are fake as a trawl through my own spam folder showed. However sometimes URLs do look vaguely genuine – well compared to the real thing anyway. Would you think nwolb.com was a genuine banking URL? I certainly wouldn’t, but it is.

I decided to trawl through the URLs of 17 online banks – a mixture of big and smaller names – to see what URLs they were using for their secure services, and how they varied from the standard domain names…

Bank Homepage Secure Site
Natwest www.natwest.com www.nwolb.com
Lloyds TSB www.lloydstsb.com online.lloydstsb.co.uk
Barclays www.barclays.co.uk ibank.barclays.co.uk
HSBC www.hsbc.co.uk www.hsbc.co.uk
Halifax www.halifax.co.uk www.halifax-online.co.uk
RBS www.rbs.co.uk www.rbsdigital.co.uk
Bank of Scotland 1 www.bankofscotlandhalifax.co.uk www.bankofscotlandhalifax-online.co.uk
Nationwide Building Society www.nationwide.co.uk olb2.nationet.com
Co-operative Bank www.co-operativebank.co.uk welcome27.co-operativebank.co.uk
Abbey www.abbey.com myonlineaccounts2.abbeynational.co.uk
Alliance and Leicester www.alliance-leicester.co.uk www.mybank.alliance-leicester.co.uk
Northern Rock www.northernrock.co.uk online.northernrock.co.uk
ING Direct www.ingdirect.co.uk secure.ingdirect.co.uk
First Direct www.firstdirect.com www1.banking.first-direct.com
Birmingham Midshires www.askbm.com www.esavingsaccount.co.uk
AA Savings 2 www.theaa.com/savings www.esavingsaccount.co.uk
Egg new.egg.com your.egg.com
  1. Bank of Scotland’s outlets tend to be branded the rather klunky “Bank of Scotland Halifax” hence the URL
  2. Operated by Birmingham Midshires in the name of the AA.

So what do we see?

One thing really stands out here. Only one bank uses the same web address for its standard site and its secure site – step forward HSBC. This means with HSBC it’s really obvious if someone is trying to spoof – if it doesn’t sit on the hsbc.co.uk domain, you know it’s dubious.

It’s amazingly simple but very effective. Everyone knows it’s the real deal.

Of the remaining 16, 7 use subdomains of the main web address – secure.ingdirect.co.uk, online.northernrock.co.uk or the mysterious ibank.barclays.co.uk.

The result is not as obvious as HSBC’s approach, however will give customers some reassurance that they’re in the right place.

Not quite reassuring is that 9 of the 17 banks use a completely different domain for their online banking.

They range from the close but not quite there of Lloyds TSB whose main site is a dot com address, whilst whereas online banking suddenly sits on lloydstsb.co.uk for no apparent reason. Close, but not the same.

Halifax, Bank of Scotland, Royal Bank of Scotland go for an even more different domain – hacking “-online” or “digital” onto the domain names. That Halifax and Bank of Scotland take the same approach should not be surprising given the fact the two banks merged in 2001. Indeed both banks share the same online banking system so a Halifax customer can happily log into the Bank of Scotland site and vice versa.

Abbey also get some minus points, by the fact they’re still using abbeynational.co.uk for their online banking despite the Abbey National brand being ditched in 2003. True most people will know Abbey by its former name, but frankly it does them no favours not to have sorted that inconsistency out yet.

But then we get into the frankly worrying – Birmingham Midshires’s esavingsaccount.co.uk gives absolutely nothing away, and it’s shared with the AA. It’s generic and unclear – and ripe for spoofing. How is any BM or AA customer supposed to know that they’re at the right place?

Ditto the frankly random online URLs of Nationwide and Natwest with their and olb2.nationet.com and www.nwolb.com. They just look made up and frankly false. How on earth am I supposed to know that either of them are real?

And First Direct – part of the mighty HSBC – offer perhaps the most worrying online banking experience. Whilst their secure site is at a sensible URL, online banking opens in a popup window without an address bar – the user has no idea where they are, no way of checking what the correct address is unless their web browser ensures that the URL is shown for security reasons (as Firefox does, for example).

What’s the game?

To be honest, I’m perturbed by those eight banks who use entirely different domain names for their online banking services. There’s just no good technical reason to do so, and absolutely every user-facing reason not to do so!

It’s as trivial to set up online banking systems to use a sub-domain as it is to use a whole new domain name. So why aren’t half the banks here doing it? What’s going on?

We’re told time and time again to be careful when logging into online banking systems – to avoid the scams and to have confidence in online banking. Well isn’t it about time that the banks themselves help us to have confidence in their abilities?

The obvious solution is to always follow the links from your bank’s website – it’s hard to go wrong. But if we pop to the high street, would you trust a cash machine outside a branch of NatWest that said “NWCM” on the illuminated panel? Or one outside a Birmingham Midshires that was branded “Outdoor Cash Machine”?

Of course you wouldn’t. So why is the web seen as being any different?

Still at least most banks give you the courtesy of seeing the web address. First Direct’s insistance that you use a popup window gives me absolutely no confidence at all…

9 Comments

  • Sven Latham says:

    It’s worrying, to say the least, that some of those domains are only barely associated with their brand.
    When Verified by Visa was first introduced I noticed the password prompt was coming from secure.arcot.com – nothing (apparantly) to do with Visa, my bank or the e-commerce site I was using at the time.
    With a healthy dose of paranoia, I called up the bank, who were a bit confused and eventually told me “it should be fine”. Only after a lengthy conversation with their Internet team could confirm it as legitimate.

  • CentralUser says:

    I think that Barclays cash dispensers are all branded ‘Hole in the Wall’.

  • Andrew Bowden says:

    Sven – indeed I’d forgotten about Verified by Visa and Mastercard SecureCode – both of which use completely abstract URLs. I’m sure I looked at the top level domain for one once and got absolutely no hint as to who owned it, or who operated it.

  • Andrew Bowden says:

    CentralUser – They do at least have the Barclays logo on them if I remember correctly. But not good.
    Still, not as obscure as the “Raphaels Bank” cash machines operated at Westfield London. Oldest independent banking house in the UK apparently… But I have seen at least one person look at them highly suspiciously and not use them.

  • Simon says:

    Something I’d not really thought about before: we say “go from the bank’s main website to make sure you’re going to the right place”. But… the bank’s main website is not authenticated. So (and I claim no technical knowledge of how plausible this is), would it not be possible for somebody to use a man-in-the-middle attack, or some sort of DNS hack, to replace the bank’s main website and send you to the wrong secure site?
    Yes, this is a different issue, but if the secure sites were on obvious domains it wouldn’t *be* an issue, because we could just check where we were when we were entering our credentials.
    Re Verified By Visa and Securecode, it’s true that the URLs are inpenetrable, but they do show you a password/phrase that only you or they should know, which tells you that they are who they say they are. Alliance & Leicester does this with its banking, too.

  • Kirk says:

    Now, most spam I get for Natwest sends me to something like http://veryverysecure.natwest.com/
    Therefore I know immediately that it’s not a real e-mail. (I knew before, of course, but you get my point)
    nwolb.com is therefore better as a URL.
    (Try A+L Business – their domain is something silly like mybusinessbank.com. And their online banking is crap too.)

  • Andrew Bowden says:

    I was (briefly) an A&L customer. They were so crap they couldn’t even transfer a current account for me.
    Go figure why I don’t bank with them anymore!

  • Kirk says:

    Well, whatever you say about Natwest, their online banking does work rather well.
    Somewhat too keen to log you out very quickly though.

  • Sertac Demircelik says:

    Raphael’s cash machines charged me twice!!
    I withdraw money last friday,250pounds but the machine charged my account 500! I have no idea how can the machine charge you 250 pounds from your account and does not give the money and gives you a paper instead saying insufficient funds in my account!!
    I am searching which branch do the machines in front of Westfield Shopping Center belong to>who can help ?