Looks like this is an issue most people are forgetting. This forum (community.revolut.com) should use HTTPS for better security. It could save people from potential MITM attacks on a public Wi-Fi network for example.
Well I won’t go to that extreme point, Revolut’s security is excellent using HTTPS, AES encryption and even VPN Tunnels trough the app to protect the connection… plus non-optional double authentication!
The security footprint should include all sub-domains. A man in the middle attack could be performed on the forum, then that could be used to provide malicious advice to assist with attacking the app itself.
Fin tech companies need to look at the whole security picture, not just their app itself.
This is somewhere that prehistoric banks seem to do much better at.
I got very confused whilst working on a banks website a while, as I couldn’t get a subdomain working with either http or https, even with a supposedly valid https certificate. This was due to the use of HSTS, which blocked me from creating a valid subdomain even though I had access to everything I thought I required. I didn’t even know what HSTS was until that point, but it’s standard procedure for all (good) financial institutions.
This is a useful security measure which could prevent problems like this from occurring again, even if someone in management decides to (attempt) to bypass https like this.
My comments above may have come across a bit harsh. IMHO Revolut is still far ahead of other financial institutions in most respects. Problems like this are significantly less serious than the problems with most banking organisations.
One more point: The https setup on the root site does not support perfect forward secrecy at the moment. I’m not sure why this wouldn’t be implemented, so I’m guessing it’s just a bug in the https setup on the server.
This is another thing that most banks suck at, but Revolut is better than almost all of them.
I didn’t think that would include many remaining devices. I’ll admit I don’t know for sure, just that other fin tech companies I’ve worked with did not seem to consider that an issue.