I can’t register for Biometrics on RBS app either.
Huh, it seems like NatWest have finally moved their online banking over to their main domain. It’s no longer at nwolb.com but is now at onlinebanking.natwest.com, which makes a lot more sense. I still find it annoying that Lloyds use lloydsbank.com for their main website but lloydsbank.co.uk for their online banking.
1 Like
I hope this stuff works more like Atom’s biometrics, whereby your selfie is encoded and compared with the code stored on the server, and less like Monzo’s where a human has to review it.
2 Likes
I think it does, based on the impression their FAQs give (although they aren’t explicit on it).
Possibly they might use human review if you don’t pass the automated checks?
Finally!
This was another area where banks just wouldn’t practice what they preach, for some reason. Security advice is always “don’t follow links, type in the address of the bank’s website so you know you are going to the right place”.
You could do this, then click the login button, then get redirected to a totally different domain. Have I been scammed by a dodgy browser extension which has intercepted my session and sent me to a spoof login page to steal me details? Do I have a virus on my computer?
No, I know this because I have checked the certificate of the domain and it’s an SSL Extended Validation cert, with verification of the owner as NatWest/RBS or something to do with the group. Should you have to do this to be confident you are on the genuine site? No. Should casual users be “trained” to ignore the suspicious-looking URL? No.
How hard is it to get these things right?!
Don’t even get me started on the madness of NatWest not using https on their primary domain until about 4 years ago. They only finally did once chromium browsers marked the site as not secure, and even then the login button had a confusing looking padlock (training the user to look for a picture of a padlock instead of the browser’s https padlock).
Absolutely crazy.
1 Like
I remember this, they didn’t even change it for days after this blog was everywhere!
To be fair to them sometimes its not that simple, though these days TLS changes should, in theory… work well and can usually be applied pretty fast. But having just spent time working on TLS problems, ‘should’ and ‘could’ are exactly the right words. don’t get it right and you deny access to bob on his old computer, or some other system somewhere you didnt know about until now.
Troy Hunt is pretty good at being on the mark though 
If you were a bank, you would think https would be implemented across all your websites as soon as it was released.
Maybe the initial implementation would take time and be fiddly, it might even cause problems with some legacy systems (and we know they have lots of those at RBS) but it should absolutely be a requirement. By the time this was big news, they should have done it. I don’t care how hard it was to do, they would have had twenty years to do it! Everyone else (other businesses) managed it.
I’m not going to give them a pass on this.
You’d be forgiven to think that would be the norm. It’s not. I wish it was, id just enforce TLS 1.3 only, my life would be so much easier if that were true.
https on sites by default is a fairly new thing in reality. It cost money to buy the certificates, it impacted performance, it required additional maintenance, and it just wasn’t the norm.
To give an idea how how slow TLS adoption is
TLS 1.0 and 1.1 were ditched in 2018, and the big tech companies phased them out in 2020, and both are still scattered around the internet in common use.
TLS 1.3 has been out since 2018 and absolutely tonnes of places still don’t support it (including RBS)
Chrome only recently just made https default in the browser, like literally just this March.
4 years ago doesn’t sound that long ago but in terms of internet tech and advancements its decades. In 2017 only around 50-60% of internet traffic on the browsers was encrypted, encrypting everything just wasn’t a thing and was only really starting to be taken more seriously (Tory even talks about this in 2017.) It isnt until around 2019 that we start to see 90% adoption rates. It doesn’t dismiss Troys point, they missed an issue (though i don’t blame the twitter support for their response they didn’t know what he was on about or who he was)
The rules also continue to change as well as standards develop.
4 days from Troys initial twitter post to redirecting the site. not bad not good, about average id say for a company that size.
I think the more important thing that should come out of that issue is the need to better access to report security issues
2 Likes
I agree, and also for the companies to take those reports seriously. Troy’s initial efforts to highlight the problem were dismissed by their first line support and, although I wouldn’t expect them to understand detailed technical details, they should at least have promised to look into it. That stands out as one of the worst parts of the story.
Also, if as Troy’s blog post shows, we were at about 50% of sites https enabled by January 2017, you would have expected a major bank to be well within the first 50% (even within the first 25%) as most websites don’t hold important and confidential information like banks do - so the need for https was less pressing, even though it was still better from a security perspective to have it.
I think a major global bank could also afford a few hundred pounds here and there for even a relatively-expensive set of EV certs.
Finally, Chrome making https default is a bit different as that is a move towards an https-only internet. Just supporting https is easier and should have been done earlier.
2 Likes
I agree should have been done easier, and they should have caught all the pages with links to logins, just thought id provide some context around it as even today TLS can be a headache.
It was useful content, so thanks for posting it, and you are right that the internet as a whole has only embraced https fairly recently, I’ve noticed.
I remember using the flags page to enable the Chrome “Not Secure” message early, and lots of sites showed it at first (it was much more obvious then, of course, who was still on http only).
I also remember a prominent tech website, maybe Wired or something, doing a name and shame list on the day the change went live publicly. I think the Daily Mail was the most-used site without support at the time.
Cool, thanks for the tip 
May I ask do you work for the Group? You aren’t by any chance the same guy who used to give us a sneak peek of what was being developed at NatWest back on FTT are you?
Do you mean me or @Eden?
For me, the answer is No and No.
I did follow the thread on FTT, mostly without contributing anything as I don’t have any inside information. I think I may have posted once or twice to say that I’d noticed something new in the Coming soon panel of the app.
How strange - there was a post directly above mine that I was replying to that said that biometric enrolment is now live with NatWest and Ulser, with RBS coming soon. And that biometric approval is coming soon for all three brands (and not yet live). This led me to question whether the poster was an insider.
Not sure where the hell that post has gone?!
Maybe the insider thought better of it and was worried about being rumbled, so went quiet!
1 Like
Quite possibly! I always wondered just how much trouble these leakers would be in if their employers tracked them down. But if someone deletes a post on here, doesn’t it stay in place (but ‘hidden’) for 24 hours? Perhaps they contacted a mod to have it removed immediately due to second thoughts along the lines you allude to 
Maybe, I’m not sure how deleting a post works. I think it might get instantly deleted if you do it within a certain window of time?
As for the amount of trouble they’d be in, clearly it depends on the company, but if the stories from Apple leakers are anything to go by it could be extremely serious. They would likely be fired, anyway, which is enough of a deterrent for most I would think.
1 Like
Ah yes, that might be it.
Yes, Apple’s policy is super strict. I always think of that guy who was fired when his daughter came to work with him and uploaded a video of her day to YouTube. As far as I know nothing especially confidential was actually leaked, but it seems the principle was enough for total dismissal.
Edit: just looked it up and apparently she leaked the iPhone X before release. That is incredibly major and totally deserves dismissal; no idea why the dad was ok with that.
1 Like
If I recall that correctly, and it’s the same video as the one you are thinking of, the guy worked at Apple Park and the daughter was some kind of vlogger.
He thought, for some reason, that he could take his family including said vlogging daughter, to Apple Park and film the whole thing while showing off the then-unreleased iPhone X.
It was a major leak, the likes of which we haven’t seen since. Pretty bad. They then fired the guy virtually immediately and the daughter posted a kind of sorry video to her channel, where she was crying, saying her dad had been fired. She claimed to have no idea that he would get fired and hadn’t even thought about it as a possibility.
1 Like