UK Banks Overlook SSL
Over half of the UK’s high-street banks and building societies use outdated SSL security that means their online customers can be attacked by low-skilled cyber-criminals, and “they don’t seem to care”, according to security firm Xiphos Research. Read On here
In a 4 January blog, Kemp said: “As things stand, over 50 percent of banks and building societies in the UK have weak SSL implementations associated with their secure login functions. This research was conducted in November 2015. It is now January 2016 and we have attempted to reach out numerous times to numerous organisations.
“The impacted parties don’t seem to care. We have attempted to contact a number of the affected banks and building societies and have yet to be contacted by anyone other than first-line customer services staff. We have however passed details of our findings and the organisations they impact upon to the NCA.”
Kemp said Xiphos will not be naming names “until we have confirmation from third parties that they are mitigating the risks”.
He said their vulnerability is made worse by the fact that the problems with weak SSL certificates are well-known. “The UK finance industry is one of the largest in the world, and so should be one of the most robust from a security perspective. Sadly, our findings seem to contradict this. What we discovered was highly concerning from a security perspective.”
Kemp pointed to research by Troy Hunt published in May 2015 on the security of SSL certificates used by the Australian banking industry, and by developer Bryan MacMillan in August 2015 on Scottish financial institutions.
Xiphos tested the 84 institutions’ secure login functions by submitting the associated authentication URLs to the SSLLabs service from Qualys.
Eight of the URLs are vulnerable to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. “This is a vulnerability about which there was much press coverage, and is over a year old and one that in all likelihood would not be expected to be seen on sensitive client-facing systems in the wild,” Kemp said.
Four of the SSL certificate are vulnerable to the CRIME attack, which allows an attacker to potentially hijack legitimate user sessions.
Nine of the URLs use version 3 of the SSL protocol, which was officially deprecated in December 2014 owing to the POODLE attack. Kemp said: “It was recommended that SSL version 3 be disabled on all public-facing sensitive hosts and replaced. In over 10 percent of the certificate instances assessed, this has not been the case.”
Thirty-six certificates use SHA-1 hashing to hide the data. Kemp said: “The first cracks in SHA-1 appeared over 10 years ago, and in 2013 Microsoft announced that it would not be accepting SHA-1 certificates after 2016.”
Thirty-five of the SSL certificates support the RC4 crypto cipher. “Attacks against the RC4 cipher have theoretically been possible for a number of years,” Kemp said.
And 26 certificates use the outdated version 1 of TLS (Transport Layer Security), the successor to SSL. “Both the BEAST and Lucky 13 attacks can impact on those sites that operate using TLS 1 in combination with RC4 and those sites that handle sensitive data should be moving away from deprecated and unsupported technical stacks,” Kemp said.
Commenting on Xiphos’ research, independent cyber-security expert David Kennerley, threat research manager at Webroot, told SCMagazineUK.com via email: “The results are very disappointing. Whilst differing levels of skill, resources and motivation are required to exploit these weaknesses, without question this research highlights the poor security posture of the banks in question.
“Insome areas, financial institutions are leading the way in cyber-security as the recent joint UK-US banking industry resilience exercise shows. At the same time this research highlights that there is still much work to be done.”
Kennerley added: “Our online world, including the financial sector, is wholly reliant on a fully functional and well-maintained Public Key Infrastructure (PKI). Banks and other companies that fail to keep pace with widely reported PKI vulnerabilities are publicly advertising their poor security posture.
“In simple terms they are demonstrating that the security of their website, visitors and transactions isn’t their highest priority. More scary is the fact that the tools used to perform this research are available to everyone, not just the good guys. Most forms of crypto attack are now well within reach of the bad guys.
Xiphos said it contacted the UK banking regulator, the Financial Conduct Authority (FCA), on 15 December to get contact details and in the hope it would share the research results with its members. Kemp said: “Unfortunately the FCA was unable to provide us with details of individuals, or generic email addresses, to report security concerns to because of ‘security reasons’.”
SC asked the FCA about this and a spokesperson told us: “We are not able to pass on the contact details of those employed outside of the FCA. We look at all the information given to us and it is passed to relevant teams to consider.”