Why the RBS Vulnerability Could Spell the End of Endpoint Security


Ted McKendall

A recent survey by the Office of National Statistics revealed that seven out of 10 people in the UK now bank online. It’s likely, however, that most of these people won’t be employing the latest security measures to protect their online transactions and their personal information. It’s perhaps unsurprising, then, to learn that almost half of financial service providers expressed serious concerns around threats to the security of their online banking services. In a bid to address this, banks have traditionally tried to encourage their customers to adopt endpoint protection (EPP), providing them with the necessary software free of charge. However, as some RBS customers found to their cost recently, this approach is far from ideal. 


Extremely Serious Flaw 

Since January, the UK banking group had been offering its customers a free online security product. Described by its vendor as “next generation protection” against cyber threats, the software was designed to identify common cyber-attacks and prevent them from stealing a customer’s data or locking it away with ransomware.  

But researchers uncovered an “extremely serious” security flaw which enabled them to easily gain access to a user’s computer, from where it would have been possible to enjoy complete visibility over their emails, internet history and bank details. The flaw has since been addressed, although not before around 50,000 people had downloaded the vulnerable software.  

Security researcher Ken Munro told the BBC the security software runs on a high level of privilege on a user’s machine. It’s essential that it is held to the highest possible standards.” Given the potential access it could have granted cyber criminals on the search for valuable personal financial information, it’s clear that this was not the case.  

What’s more, it perfectly illustrates the problem with relying on customers to download and install EPP software. The adoption rates for such solutions are already low and have been decreasing in recent years. As cloud and hosted services have proliferated, customer behaviours have changedand consumers and increasingly unwilling to undertake the additional step of downloading software simply to be able to bank online. Downloading software also requires and degree of trust, and stories such as this are likely to make consumers even less likely to take advantage of free security software offered by their bank. 

A new approach is required, therefore, if banks hope to protect their customers’ information, and avoid the reputational damage that can arise from situations such as this.  


Invisible Protection 

The traditional approach of providing customers with EPP solutions is no longer fit for purpose. For one thing, it’s unrealistic to expect users to take responsibility for their own security – as we’ve seen, very few are willing to do so. What’s more, EPP solutions simply aren’t able to keep up with the pace at which malware changes, making it easy for cyber criminals to bypass them. Endpoint security has long been outdated; this incident with RBS may well just be the final nail in the coffin. 

The solution is for banks to move away from focusing purely on the endpoint but instead focus on securing where the customer and the provider meet: on the transaction page. This sits within the bank’s own infrastructure, which means it can be protected without asking the customer to download anything. This “agentless” approach removes the reliance on the customer, increasing security and also improving CX. Furthermore, evaluating both the user side and the web server side of a web session simultaneously paints a more comprehensive picture of threats, and more attacks can be stopped this way than by concentrating on just one aspect or the other. 

This is where Protector Air comes into its own. Injected into each visitor web request, it protects a bank’s customers from any attempts at data exfiltration and malware insertion – without the customer even knowing it’s there.  

Significantly more effective than traditional EPP solutions, this innovative new technology means banks need no longer rely on their customers protecting themselves; an approach that’s – at best – unreliable and – at worst  dangerous, as RBS customers discovered the hard way. 

For more information on how to protect your business with Trusted Knight, click here.


Click here