Perhaps it’s because I’d just seen CitizenFour and was feeling edgy about internet privacy that I noticed the little padlock symbol beside the URL of my online bank was not the jolly green, indicating safety, like normal – instead it was drab grey with a little yellow warning triangle over it, indicating … well, not safety presumably!
Clicking on the symbol, Google Chrome informed me that “Your connection to www7.marksandspencer.com is encrypted with obsolete cryptography” and “The site is using outdated security settings”. I am not a security expert, but this is not what you want to be hearing from the holder of all your worldly possessions (or debts in this case as it was the credit card system I was using).
Some further delving into these messages pointed me to the QUALYS SSL Labs website that allows you to check the online security settings of any website and so I thought I’d check the UK’s online bank security. Upon entering various UK bank, online login URLs, I was surprised to see that all but 1 was using out of date security settings. Capital One got an A grade, but Lloyds, Barclays and Halifax are scoring C’s.
Some investigation showed that this security problem is related to the POODLE vulnerability that was discovered at the end of last year – “This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack”.
Now this potential password stealer is quite complex to setup and it’s possible that the banks have been thinking it ‘unlikely’ to affect them, but there have been online commentaries since October 2014 clearly stating that the ‘Poodle hack’ poses threat to bankers – so one would hope they might act quickly, certainly within 6 months!
I mean, we’re not talking about your local takeaway that got an online ordering service set up back in 2006 and hasn’t updated the site since – we’re talking about the UK banking system, where just 4 of the banks [Barclays, HSBC, Lloyds group, RBS] have a combined market value of £256 billion. If anyone ought to be able to keep up with security updates, it’s them.
Checking the websites for SSL security showed that 3 scored a C grade because they were using technology that was definitely vulnerable to the POODLE attack. However, another 10 scored a B grade for relying on a security standard called TLS 1.0 or 1.1, and these TLS standards were shown to also be open to the POODLE attack (under certain circumstances) by December 2014.
All results are shown in the table below, and screenshots of the QUALYS SSL Labs results are in the gallery below. The worst offenders are Barclays, Lloyds and Halifax with their complete disregard for POODLE and a resulting C grade. The best is Capital One that gets an A and no warnings.
UK banks SSL status 24/04/2015Online banking security results obtained from QUALYS SSL Labs
|Bank Name||Security Grade||QUALYS SSL Labs URL|
|Marks and Spencers||B||https://www.ssllabs.com/ssltest/analyze.html?d=www7.marksandspencer.com|