Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Porosity of RBS Worldpay site down to poor code auditing

Fortify : 16 September, 2009  (Technical Article)
Hacker's revelation that RBS Worldpay web portals are open to vulnerabilities doesn't surprise Fortify who recommend code auditing as a preventive measure
News that RBS Worldpay's various web portals are 'riddled with holes' according to a grey hat hacker have been met with the expected public relations spin that you might expect.

But when you get down to basics, you realise that the reports of Unu, the Romanian hacker, about the vulnerabilities are valid enough.

So how did RBS Worldpay end up in this unfortunate position? According to Fortify Software, the application vulnerability specialist, it all comes down to what appears to be poor code auditing at the programming level.

'Coupled with lack of security soak testing, which is a must-have for any transaction processing system, RBS Worldpay's sites appear to have been hit by cross-site scripting (XSS) security problems,' said Richard Kirk, Fortify's European Director.

'Of course, RBS Worldpay isn't alone in its sites having XSS problems, but it is a high profile problem, simply because the company processes card payments online for a large number of e-tailers,' he added.

Even though the bank is saying that the database that Unu claims to have compromised only contained dummy data, this is turning into something of a PR disaster, said Kirk.

Banks, he explained, have to be very careful at the moment when it comes to their brand image, for the simple reason that they are being held - rightly or wrongly - as responsible for the current economic woes of the world.

This, says Fortify's director, makes them ultra-susceptible to negative publicity, especially of the type that Romanian blogger Unu has been giving them.

'What's done is done with RBS Worldpay in terms of its reputation from this incident and I wouldn't pretend to tell the bank's public relations department how to go from here,' he said.

'The saga is, however, a standout lesson to other financial institutions as to what can go wrong when you don't carry out code auditing and site soak testing,' he added.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo