Basic Web Security; Kenyan Banks Flying Blind
Kenya has over 42 banks and it has been noted that we have far too many banks for the population of about 40million people. (Source; CBK, Nation Media Group) Most of this banks, I have noted, are flying blind in the area of basic web security. The saddest bit is that I could try point this to them but then again they would either try to blame me for being a “hacker” or simply ignore me until when the real hacker will come by. I am going to point out 2 cases of banks , that I am a customer are flying blind and its only a matter of time before hell breaks lose.
Unsecured Web Connection over HTTP
You would think that it is common senses for a Bank to enforce secure connection or HTTPS to their website right? After all, in the era of Online/Internet Banking , we send them personal and sensitive information over the internet such as Name, ID/Passport details, Our Credit/Debit Cards numbers and even transact over the internet. WTF would a bank in the 21st Century simply not have SSL Certificates? Unless they are simply being lazy cheap or calling attention to themselves and their customers to be hacked.
Some, if not most,of this banks have Online Banking, Mobile banking and many more banking solutions tied to the user and whose primary way of accessing this products is through their websites. Any person with sufficient knowledge on web development would have any easy time getting access to usr data. All he/she would need to intrude is change and replace the links for accessing online/internet banking with their own link and make user their web page has semblance to the initial one as possible, which is piece of cake anyway, and then let the users sign in and attempt to access their online banking through his own page. At this stage, a little social engineering would work. Say after users sign in, tell them the system is down and we are updating the platform so they can try later!. Happy users will wait as you wreck havoc on their accounts voila, Christmas comes early!
I sampled 1o of the 42 banks that are common, notable and/or known to me that have un-secure or HTTP connection to their websites;
- Equity Bank; http://ke.equitybankgroup.com/ .The mighty and known Equity Bank, Kenya’s biggest bank in terms of customer numbers with over 10m customers and the people who brought banking to the masses, 2nd Largest bank in Kenya. Equity simply doesn’t care about security for their website
2. Commercial Bank of Africa (CBA):http://cbagroup.com/; Funny their public website has no HTTPS Certificate but some of their sub-domains have
3. National Bank of Kenya; http://nationalbank.co.ke/
4. Consolidated Bank of Kenya; http://www.consolidated-bank.com
5. Bank of Baroda;http://www.bankofbaroda.com/kenya.asp or www.bankofbarodakenya.com/ .This domain appears to be marked as hacked by Google Search Results attached;
6. Family Bank; http://familybank.co.ke/
7. Fidelity Bank; http://www.fidelitybank.co.ke/
8. NIC Bank; http://www.nic-bank.com/ke/
9. Prime Bank Kenya; http://www.primebank.co.ke/
10.Guardian Bank ; http://guardian-bank.com/ (Funny haaa! Its supposed to on guard for your Money haaahahaa! Pun intended)
Its notable that KCB Bank Group, Kenya’s largest bank is missing from the list as well as some other small banks.
Next time I will take a jibe at their email infrastructure…