UK high-street banks accused of "shockingly bad" online security
Banks running on outdated security, says Xiphos report
Over half of the UK's high-street banks and building societies use outdated SSL security that means their online customers can be attacked by low-skilled cyber-criminals, and “they don't seem to care”, according to security firm Xiphos Research.
Birmingham-based Xiphos checked 22 UK-owned retail banks and found 50 percent still use vulnerable Secure Sockets Layer (SSL) certificates despite problems known about for months and even years. A further 79 percent of 25 foreign-owned retail banks operating in the UK, and 51 percent of the UK's top 37 building societies, are also insecure.
In 12 of the 84 cases, their SSL usage is rated as ‘F' – the worst possible score they could have. Xiphos co-founder Mike Kemp calls this “shockingly bad”.
The weak authentication puts banking customers at risk of well-known attacks like the POODLE man-in-the-middle vulnerability, which was revealed by Google researchers in October 2014, and the CRIME attack known about since 2012.
Xiphos has alerted the National Crime Agency (NCA) to the problem, which it says is “deeply concerning and has significant public interest”, after being frustrated in its attempts to warn the institutions affected.
In a 4 January blog, Kemp said: “As things stand, over 50 percent of banks and building societies in the UK have weak SSL implementations associated with their secure login functions. This research was conducted in November 2015. It is now January 2016 and we have attempted to reach out numerous times to numerous organisations.
“The impacted parties don't seem to care. We have attempted to contact a number of the affected banks and building societies and have yet to be contacted by anyone other than first-line customer services staff. We have however passed details of our findings and the organisations they impact upon to the NCA.”
Kemp said Xiphos will not be naming names “until we have confirmation from third parties that they are mitigating the risks”.
He said their vulnerability is made worse by the fact that the problems with weak SSL certificates are well-known. “The UK finance industry is one of the largest in the world, and so should be one of the most robust from a security perspective. Sadly, our findings seem to contradict this. What we discovered was highly concerning from a security perspective.”
Kemp pointed to research by Troy Hunt published in May 2015 on the security of SSL certificates used by the Australian banking industry, and by developer Bryan MacMillan in August 2015 on Scottish financial institutions.
Xiphos tested the 84 institutions' secure login functions by submitting the associated authentication URLs to the SSLLabs service from Qualys.
Eight of the URLs are vulnerable to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. “This is a vulnerability about which there was much press coverage, and is over a year old and one that in all likelihood would not be expected to be seen on sensitive client-facing systems in the wild,” Kemp said.
Four of the SSL certificate are vulnerable to the CRIME attack, which allows an attacker to potentially hijack legitimate user sessions.
Nine of the URLs use version 3 of the SSL protocol, which was officially deprecated in December 2014 owing to the POODLE attack. Kemp said: “It was recommended that SSL version 3 be disabled on all public-facing sensitive hosts and replaced. In over 10 percent of the certificate instances assessed, this has not been the case.”
Thirty-six certificates use SHA-1 hashing to hide the data. Kemp said: “The first cracks in SHA-1 appeared over 10 years ago, and in 2013 Microsoft announced that it would not be accepting SHA-1 certificates after 2016.”
Thirty-five of the SSL certificates support the RC4 crypto cipher. “Attacks against the RC4 cipher have theoretically been possible for a number of years,” Kemp said.
And 26 certificates use the outdated version 1 of TLS (Transport Layer Security), the successor to SSL. “Both the BEAST and Lucky 13 attacks can impact on those sites that operate using TLS 1 in combination with RC4 and those sites that handle sensitive data should be moving away from deprecated and unsupported technical stacks,” Kemp said.
Commenting on Xiphos' research, independent cyber-security expert David Kennerley, threat research manager at Webroot, told SCMagazineUK.com via email: “The results are very disappointing. Whilst differing levels of skill, resources and motivation are required to exploit these weaknesses, without question this research highlights the poor security posture of the banks in question.
“In some areas, financial institutions are leading the way in cyber-security as the recent joint UK-US banking industry resilience exercise shows. At the same time this research highlights that there is still much work to be done.”
Kennerley added: “Our online world, including the financial sector, is wholly reliant on a fully functional and well-maintained Public Key Infrastructure (PKI). Banks and other companies that fail to keep pace with widely reported PKI vulnerabilities are publicly advertising their poor security posture.
“In simple terms they are demonstrating that the security of their website, visitors and transactions isn't their highest priority. More scary is the fact that the tools used to perform this research are available to everyone, not just the good guys. Most forms of crypto attack are now well within reach of the bad guys.
“We should not be making it easy for anyone to acquire our private communications. There is no good reason for any institution to be using digital certificates that are known to be vulnerable. There are widely accepted, robust alternatives available. The banks should not take the blame alone, Certificate Authorities should also be held accountable for this failing.”
Xiphos said it contacted the UK banking regulator, the Financial Conduct Authority (FCA), on 15 December to get contact details and in the hope it would share the research results with its members. Kemp said: “Unfortunately the FCA was unable to provide us with details of individuals, or generic email addresses, to report security concerns to because of ‘security reasons'.”
SC asked the FCA about this and a spokesperson told us: “We are not able to pass on the contact details of those employed outside of the FCA. We look at all the information given to us and it is passed to relevant teams to consider.”
SC also asked the British Bankers' Association (BBA) for their views on Xiphos's research and the communication problems. A BBA spokesperson told us: “Customers rightly expect high levels of security when they are banking online. Banks spend hundreds of millions of pounds each year on developing sophisticated systems to protect customers from fraud and cyber-crime. They are constantly vigilant to the changing security threats online.”