RBS Worldpay website problems down to lack of code auditing

News that RBS Worldpay's various web portals are "riddled with holes" according to a grey hat hacker have been met with the expected public relations spin that you might expect.

But when you get down to basics, you realise that the reports of Unu, the Romanian hacker, about the vulnerabilities are valid enough.

So how did RBS Worldpay end up in this unfortunate position? According to Fortify Software, the application vulnerability specialist, it all comes down to what appears to be poor code auditing at the programming level.

"Coupled with lack of security soak testing, which is a must-have for any transaction processing system, RBS Worldpay's sites appear to have been hit by cross-site scripting (XSS) security problems," said Richard Kirk, Fortify's European Director.

"Of course, RBS Worldpay isn't alone in its sites having XSS problems, but it is a high profile problem, simply because the company processes card payments online for a large number of e-tailers," he added.

Even though the bank is saying that the database that Unu claims to have compromised only contained dummy data, this is turning into something of a PR disaster, said Kirk.

Banks, he explained, have to be very careful at the moment when it comes to their brand image, for the simple reason that they are being held - rightly or wrongly - as responsible for the current economic woes of the world.

This, says Fortify's director, makes them ultra-susceptible to negative publicity, especially of the type that Romanian blogger Unu has been giving them.

"What's done is done with RBS Worldpay in terms of its reputation from this incident and I wouldn't pretend to tell the bank's public relations department how to go from here," he said.

"The saga is, however, a standout lesson to other financial institutions as to what can go wrong when you don't carry out code auditing and site soak testing," he added.

For more on the Unu saga: http://preview.tinyurl.com/oauoxv

For more on Fortify: http://www.fortify.com

<>