14 DAY TRIAL // More than half of British or foreign-owned banks operating in the UK were found to run insecure SSL instances on the login page of their Web portals.
Most banks these days provide a Web-based banking portal where clients can go and manage their bank accounts. There are various places where hardened security is crucial for these portals, like for example their transaction pages, account history, and user's settings page.
While all critical, there's another place where the bank's security must be at its strongest settings, and that's on the page where users authenticate on the service: the login page.
60% of UK banking institutions fail at properly implementing SSL
Security expert Mike Kemp, the co-founder of Xiphos Research, has conducted research that studied the usage of SSL on the login pages of banks and building societies activating in the UK.
His research targeted all banks with a street presence in Britain. This included UK-owned banks, foreign-owned banks, and UK building societies.
For each institution, the researcher searched for the bank's Web portal, took its login page URL, and submitted it for testing via the SSLLabs portal, a service for analyzing the quality of SSL/TLS used on a Web page.
His results were:
► Of the 22 UK-owned retail banks we examined, 50% were found to have insecure SSL instances. ► Of the 25 foreign-owned retail banks operating in the UK we examined, 79% were found to have insecure SSL instances. ► Of the 37 UK building societies we examined, 51% were found to have insecure instances.
This means that around 50 banking institutions out of 84 (60%) failed at properly configuring SSL certificates for their login URLs, arguably the most sensitive and most important point in securing online banking services.
Affected banks were hard to get in contact with
Even worse, Mr. Kemp also reports that 12 out of the 84 (14%) got an F grade from the SSLLabs service, grade that Mr. Kemp described as "shockingly bad."
Some of the attacks to which UK banking institutions are vulnerable include some oldies but goodies like the POODLE attack, the CRIME attack, the BEAST and Lucky 13 attacks.
Mr. Kemp tried to contact all banking institutions that had problems, but after facing countless of ill-prepared call center operators, decided to inform the UK Financial Conduct Authority of his findings, on December 15, and the UK National Crime Agency on December 18.
Similar research was also carried out by Troy Hunt for Australian financial institutions (May 2015), and Bryan MacMillan for Scottish financial institutions (August 2015).