Customers at the Royal Bank of Scotland have been put at grave risk of cyber attacks due to flawed security software.
Since January this year, the bank has recommended the Thor Foresight Enterprise product, developed by Heimdal Security, to business banking customers.
The product is promoted as “next generation protection” against cyber threats, however, security researchers at Pen Test Partners discovered an “extremely dangerous” command injection that compromised customer PCs.
Speaking to the BBC, security researcher at Pen Test Partners, Ken Munro, said: “We were able to gain access to a victim’s computer very easily. Attackers could have had complete control of that person’s emails, internet history and bank details.”
Munro added: “To do this we had to intercept the user’s internet traffic but that is quite simple to do when you consider the unsecured public WiFi out there, and it’s often all too easy to compromise home WiFi set-ups.
Recommended: UK’s Cybersecurity Cannot Protect Critical Infrastructure
Heimdal Thor software prevents cyber attackers from stealing data or locking it in ransomware, acting as a filter which spots common cyber threats before they can compromise an individual or business.
The firm responded swiftly to rectify the issue and in a statement, Heimdal chief executive Morten Kjaersgaard, commented: “We naturally treat information like this very seriously. We issued a fix and automatically updated 97% of all affected endpoints within four days of being informed, and the rest shortly after.”
Despite a prompt response from Heimdal, researchers at Pen Test Partners suggested the firm had “fallen far short” in a blog post.
Recommended: O2 Fined for Poor Response to Ofcom Investigation
Certification validations issues “should have been caught far earlier,” according to the firm. Many instances such as these can be caught at the code review stage, researchers said.
Additionally, significant changes to software should be tested, and checks to establish whether certificate validation is working “should be done frequently, and ideally, automatically.”
Although the software bug has been fixed, it is believed that around 50,000 customers were affected. While this number appears significant, this only represents around 8% of the total number of machines running the software worldwide, the company insisted.
RBS confirmed that only Natwest customers had been affected as the product is not yet being offered to customers of other group banks. Additionally, the bank emphasised that “no customers suffered any adverse consequences” due to the bug.
A spokesperson for the banking group said: “We were made aware of a potential software issue that could apply to a small number of our early-adopting customers.”