It’s Friday the 13th. Time for Freaky Friday. How many domain swaps will this one manage?

tyl 1

Tyl is a payment processor from NatWest. Their primary domain is "tylbynatwest·com". The link to log in is "portal·natwest-tyl·com", on a separate domain. This redirects and the login page is hosted on "tylprod·b2clogin·com".

tyl 2

The address "b2clogin·com" is a Microsoft domain for hosted login services, and can be whitelabelled to a custom domain, but Tyl chose not to. The term "b2clogin" stands for business to consumer login — it is for consumer focused websites — and is mostly free of Microsoft branding so it can appear to be first party. Anyone can register a service on "b2clogin·com" and piggyback off trust in Microsoft to run phishing campaigns.

Banks tell us all the time to check the URL when logging in, and Tyl uses at least three domains, with their most sensitive service — login — not running on their primary domain. How are users meant to tell this is an official site, especially if arriving from a link in a message?

Login should be run on a first party domain. Trust depends on it.