60 Percent of Banks Operating in the UK Have Weak Crypto

Exterminator

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Content source
http://news.softpedia.com/news/60-percent-of-banks-operating-in-the-uk-have-weak-crypto-498457.shtml
Login pages vulnerable to a large number of SSL attacks
More than half of British or foreign-owned banks operating in the UK were found to run insecure SSL instances on the login page of their Web portals.

Most banks these days provide a Web-based banking portal where clients can go and manage their bank accounts. There are various places where hardened security is crucial for these portals, like for example their transaction pages, account history, and user's settings page.

While all critical, there's another place where the bank's security must be at its strongest settings, and that's on the page where users authenticate on the service: the login page.

60% of UK banking institutions fail at properly implementing SSL
Security expert Mike Kemp, the co-founder of Xiphos Research, has conducted research that studied the usage of SSL on the login pages of banks and building societies activating in the UK.

His research targeted all banks with a street presence in Britain. This included UK-owned banks, foreign-owned banks, and UK building societies.

For each institution, the researcher searched for the bank's Web portal, took its login page URL, and submitted it for testing via the SSLLabs portal, a service for analyzing the quality of SSL/TLS used on a Web page.

His results were:

► Of the 22 UK-owned retail banks we examined, 50% were found to have insecure SSL instances.

► Of the 25 foreign-owned retail banks operating in the UK we examined, 79% were found to have insecure SSL instances.

► Of the 37 UK building societies we examined, 51% were found to have insecure instances.

This means that around 50 banking institutions out of 84 (60%) failed at properly configuring SSL certificates for their login URLs, arguably the most sensitive and most important point in securing online banking services.

Affected banks were hard to get in contact with
Even worse, Mr. Kemp also reports that 12 out of the 84 (14%) got an F grade from the SSLLabs service, grade that Mr. Kemp described as "shockingly bad."

Some of the attacks to which UK banking institutions are vulnerable include some oldies but goodies like the POODLE attack, the CRIME attack, the BEAST and Lucky 13 attacks.

Mr. Kemp tried to contact all banking institutions that had problems, but after facing countless of ill-prepared call center operators, decided to inform the UK Financial Conduct Authority of his findings, on December 15, and the UK National Crime Agency on December 18.

Similar research was also carried out by Troy Hunt for Australian financial institutions (May 2015), and Bryan MacMillan for Scottish financial institutions (August 2015).
Click to expand...
 
  • Like
Reactions: OokamiCreed and harlan4096
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
The problem nowadays, the purpose to learn on programming and other stuffs tends to be basic without allocating the overall benefits of being secure with little revision of implementation.

Bank should be ready for any possible attack so security is a must however they take for granted as usually only mainstream names commonly targeted due to large audiences + continuously leak of vulnerabilities.
 
Kiwimike

Kiwimike

Level 1
Verified
Dec 15, 2015
29
There is so much to cover in security. People need to scour every nook and cranny for vulnerabilities, this could do with some banks refusing to hire the right people or it could be that the banks are being left behind as the whole world shifts more and more towards IT.

It is totally possible that the people who have worked at the banks for years and years simply don't realize or are overwhelmed by the huge amount of IT staff, maintenance and security work that must be done.

Banks really need better security, it's actually quite hard for them too considering the banks my friends work for hire more experienced people often with older certifications but lots of experience over newer people with less experience but lots of talent.
I know a VP who worked for a bank, he quit as every intern he brought in literally got rejected by everybody else. This is the problem, as it's not a small bank; it's a large worldwide bank. And they probably have insecure logins as well.

I also think it is due to stubbornness, by whoever is in charge. Either CIO, CFO or COO none the less, they could potentially simply not have the budget or not WANT to spare the money to pay for this work to be done, maybe they don't want to hire extra people to work on the websites.
 
You must log in or register to reply here.

Similar threads

oldschool
    • Like
    • +Reputation
    • Applause
Security Firms Aiding Ukraine During War Could Be Considered Participants in Conflict
Replies
3
Views
1,136
News Archive
Bumblebee Uncle
Bumblebee Uncle
DDE_Server
    • +Reputation
Two-Year Long Phishing Campaign Impersonates Canadian Banks
Replies
0
Views
961
News Archive
DDE_Server
DDE_Server
silversurfer
    • Like
    • +Reputation
Big Banks Vulnerable to Web, Mobile Attacks
Replies
0
Views
1,456
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top