UK online bank security fails to keep up to date

Unsafe SSL warning

Perhaps it’s because I’d just seen CitizenFour and was feeling edgy about internet privacy that I noticed the little padlock symbol beside the URL of my online bank was not the jolly green, indicating safety, like normal – instead it was drab grey with a little yellow warning triangle over it, indicating … well, not safety presumably!

Clicking on the symbol, Google Chrome informed me that “Your connection to www7.marksandspencer.com is encrypted with obsolete cryptography” and “The site is using outdated security settings”. I am not a security expert, but this is not what you want to be hearing from the holder of all your worldly possessions (or debts in this case as it was the credit card system I was using).

URL and SSL security symbol as shown in Chrome browser accessing M&S online banking
M&S online banking security showing a warning symbol, rather than the jolly green ‘safe’ symbol you’d rather see.

 

Some further delving into these messages pointed me to the QUALYS SSL Labs website that allows you to check the online security settings of any website and so I thought I’d check the UK’s online bank security. Upon entering various UK bank, online login URLs, I was surprised to see that all but 1 was using out of date security settings. Capital One got an A grade, but Lloyds, Barclays and Halifax are scoring C’s.

Some investigation showed that this security problem is related to the POODLE vulnerability that was discovered at the end of last year – “This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack”.

Now this potential password stealer is quite complex to setup and it’s possible that the banks have been thinking it ‘unlikely’ to affect them, but there have been online commentaries since October 2014 clearly stating that the ‘Poodle hack’ poses threat to bankers – so one would hope they might act quickly, certainly within 6 months!

I mean, we’re not talking about your local takeaway that got an online ordering service set up back in 2006 and hasn’t updated the site since – we’re talking about the UK banking system, where just 4 of the banks [Barclays, HSBC, Lloyds group, RBS] have a combined market value of £256 billion. If anyone ought to be able to keep up with security updates, it’s them.

Checking the websites for SSL security showed that 3 scored a C grade because they were using technology that was definitely vulnerable to the POODLE attack. However, another 10 scored a B grade for relying on a security standard called TLS 1.0 or 1.1, and these TLS standards were shown to also be open to the POODLE attack (under certain circumstances) by December 2014.

All results are shown in the table below, and screenshots of the QUALYS SSL Labs results are in the gallery below. The worst offenders are Barclays, Lloyds and Halifax with their complete disregard for POODLE and a resulting C grade. The best is Capital One that gets an A and no warnings.

UK banks SSL status 24/04/2015

Online banking security results obtained from QUALYS SSL Labs
Bank NameSecurity GradeQUALYS SSL Labs URL
Capital OneAhttps://www.ssllabs.com/ssltest/analyze.html?d=capitaloneonline.co.uk
NationwideBhttps://www.ssllabs.com/ssltest/analyze.html?d=onlinebanking.nationwide.co.uk
NatwestBhttps://www.ssllabs.com/ssltest/analyze.html?d=nwolb.com
RBSBhttps://www.ssllabs.com/ssltest/analyze.html?d=www.rbsdigital.com
Clydesdale BankBhttps://www.ssllabs.com/ssltest/analyze.html?d=home2.cbonline.co.uk
TSBBhttps://www.ssllabs.com/ssltest/analyze.html?d=online.tsb.co.uk
Co-operative BankBhttps://www.ssllabs.com/ssltest/analyze.html?d=personal.co-operativebank.co.uk
Yorkshire BankBhttps://www.ssllabs.com/ssltest/analyze.html?d=home1.ybonline.co.uk
First DirectBhttps://www.ssllabs.com/ssltest/analyze.html?d=www1.firstdirect.com
Marks and SpencersBhttps://www.ssllabs.com/ssltest/analyze.html?d=www7.marksandspencer.com
SantanderBhttps://www.ssllabs.com/ssltest/analyze.html?d=retail.santander.co.uk
BarclaysChttps://www.ssllabs.com/ssltest/analyze.html?d=bank.barclays.co.uk&s=157.83.124.232
LloydsChttps://www.ssllabs.com/ssltest/analyze.html?d=online.lloydsbank.co.uk
HalifaxChttps://www.ssllabs.com/ssltest/analyze.html?d=halifax-online.co.uk

3 thoughts on “UK online bank security fails to keep up to date

    1. RLD says:

      Nice! great minds etc… Interesting. I ran my tests on 25 April and I see yours were done on 20th April – but mine gave fewer C grades. They must have updated their encryption slightly in that week!

      1. Mark says:

        Hi Rob. Haha yes. SSL Labs also make the tests tougher over time (as more protocols are demonstrated to be insecure).

        I tried contacting some of banks on Twitter #SecurityShaming, but they didn’t reply. Twitter to its credit grades A+ for its SSL config.

Leave a Reply

Your email address will not be published. Required fields are marked *