Online Banking and the bad URLs that go with it
We’ve all seen them.
Dear HSBC customer!
Our Maintenance Department is carrying out a scheduled Online service upgrade. By clicking on the link below you will begin the procedure of the customer login verification.
All followed by a URL you’re supposed to click on. A fake URL of course. Some obviously so. Some not.
In the first half of 2008, there were (according to a BBC News article) 21,000 cases of fraud caused by such emails – a rise of more than 180%. A staggering amount.
Of course, the way to always make sure your not a victim is to always ensure you login via your bank’s homepage – never from a URL in an email. Many official bank emails go as far as not even including a URL to click on as a security measure.
Sometimes it’s easy to spot the URLs that are fake as a trawl through my own spam folder showed. However sometimes URLs do look vaguely genuine – well compared to the real thing anyway. Would you think nwolb.com was a genuine banking URL? I certainly wouldn’t, but it is.
I decided to trawl through the URLs of 17 online banks – a mixture of big and smaller names – to see what URLs they were using for their secure services, and how they varied from the standard domain names…
|Bank of Scotland 1||www.bankofscotlandhalifax.co.uk||www.bankofscotlandhalifax-online.co.uk|
|Nationwide Building Society||www.nationwide.co.uk||olb2.nationet.com|
|Alliance and Leicester||www.alliance-leicester.co.uk||www.mybank.alliance-leicester.co.uk|
|AA Savings 2||www.theaa.com/savings||www.esavingsaccount.co.uk|
- Bank of Scotland’s outlets tend to be branded the rather klunky “Bank of Scotland Halifax” hence the URL
- Operated by Birmingham Midshires in the name of the AA.
So what do we see?
One thing really stands out here. Only one bank uses the same web address for its standard site and its secure site – step forward HSBC. This means with HSBC it’s really obvious if someone is trying to spoof – if it doesn’t sit on the hsbc.co.uk domain, you know it’s dubious.
It’s amazingly simple but very effective. Everyone knows it’s the real deal.
Of the remaining 16, 7 use subdomains of the main web address – secure.ingdirect.co.uk, online.northernrock.co.uk or the mysterious ibank.barclays.co.uk.
The result is not as obvious as HSBC’s approach, however will give customers some reassurance that they’re in the right place.
Not quite reassuring is that 9 of the 17 banks use a completely different domain for their online banking.
They range from the close but not quite there of Lloyds TSB whose main site is a dot com address, whilst whereas online banking suddenly sits on lloydstsb.co.uk for no apparent reason. Close, but not the same.
Halifax, Bank of Scotland, Royal Bank of Scotland go for an even more different domain – hacking “-online” or “digital” onto the domain names. That Halifax and Bank of Scotland take the same approach should not be surprising given the fact the two banks merged in 2001. Indeed both banks share the same online banking system so a Halifax customer can happily log into the Bank of Scotland site and vice versa.
Abbey also get some minus points, by the fact they’re still using abbeynational.co.uk for their online banking despite the Abbey National brand being ditched in 2003. True most people will know Abbey by its former name, but frankly it does them no favours not to have sorted that inconsistency out yet.
But then we get into the frankly worrying – Birmingham Midshires’s esavingsaccount.co.uk gives absolutely nothing away, and it’s shared with the AA. It’s generic and unclear – and ripe for spoofing. How is any BM or AA customer supposed to know that they’re at the right place?
Ditto the frankly random online URLs of Nationwide and Natwest with their and olb2.nationet.com and www.nwolb.com. They just look made up and frankly false. How on earth am I supposed to know that either of them are real?
And First Direct – part of the mighty HSBC – offer perhaps the most worrying online banking experience. Whilst their secure site is at a sensible URL, online banking opens in a popup window without an address bar – the user has no idea where they are, no way of checking what the correct address is unless their web browser ensures that the URL is shown for security reasons (as Firefox does, for example).
What’s the game?
To be honest, I’m perturbed by those eight banks who use entirely different domain names for their online banking services. There’s just no good technical reason to do so, and absolutely every user-facing reason not to do so!
It’s as trivial to set up online banking systems to use a sub-domain as it is to use a whole new domain name. So why aren’t half the banks here doing it? What’s going on?
We’re told time and time again to be careful when logging into online banking systems – to avoid the scams and to have confidence in online banking. Well isn’t it about time that the banks themselves help us to have confidence in their abilities?
The obvious solution is to always follow the links from your bank’s website – it’s hard to go wrong. But if we pop to the high street, would you trust a cash machine outside a branch of NatWest that said “NWCM” on the illuminated panel? Or one outside a Birmingham Midshires that was branded “Outdoor Cash Machine”?
Of course you wouldn’t. So why is the web seen as being any different?
Still at least most banks give you the courtesy of seeing the web address. First Direct’s insistance that you use a popup window gives me absolutely no confidence at all…