NatWest fails when it comes to basic phishing precautions - report

It's late, so I'll just copy-and-paste this release about a rather stupid failure by NatWest to set an SPF record for one of their critical domains..

NatWest Fail To Adequately Protect Customers Online From Increasingly Sophisticated Cyber Crime Threats 

London UK, Wednesday 9^th July 2014 – A leading email security specialist organisation has identified a simple yet important flaw in online banking systems which could be exposing unknowing customers to cyber-orientated threats.

Graeme Batsman, director of the London based IT and email security company 'Atbash', has identified a vulnerability in the system used by NatWest – highlighting a susceptibility to phishing emails (spoofed) and malware.

The flaw identified in the current email security set up employed by NatWest bank has been found to decrease the possibility of phishing emails being identified and filtered out safely, thus protecting online customers.

Mr Batsman commented “Being a security techy, I spent time pulling software, spoofed emails or viruses apart to see exactly how they work and where the possible flaws can be seen. During early July I was handed a sample of an email from NatWest which slipped past the security system. After inspecting the problem and testing the vulnerability I identified that the problem was a missing SPF record.”

A 'Sender Policy Framework' (known as an SPF) is a free, open source method of identifying and capturing dangerous and compromised emails by comparing records saved online against the actual email received. A full configuration to close the vulnerability would have taken around 30 minutes and costs nothing to implement.
Graeme Batsman continued “To put it simply NatWest’s email servers are based within the United Kingdom, so if someone was sending an email from New Zealand pretending to be NatWest, it should get blocked. When an email is sent there is a simple check done in the background to see where the email should come from (in this case UK) and where is actually comes from (in this case New Zealand), If the 2 do not tie up then email servers will determine the email to be fake and it will be blocked.”

Unlike other cyber threats facing large corporations with an obligation to protect customer data, this particular vulnerability in the NatWest system would have cost nothing to address. By integrating an SPF record on the system, the bank would have increased the chance of email spam filters detecting that the email is a fake and as a result, offering better protection for their customers.
Whilst NatWest.com does have SPF records set up, the critical domain nwolb.com which is used for online banking login does not. This leads to cyber criminals being particularly attracted to the nwolb.com domain.

This is obviously a major concern to NatWest online banking customers, however other major banks such as Metro Bank, Barclays, Santander and Lloyds already have SPF records setup for their domains which relate to online banking login paths.

Knowing banks it would have taken a lot more than 30 minutes to fix this and millions of pounds of money. Oh yes.. taxpayer's money in the case of NatWest. But it certainly does look like a basic security failure that makes me glad that I bank elsewhere..