Even though a quarter of the encrypted web is about to be broken, over half of login pages for UK online banking sites are insecure. That's according to a survey of banks, building societies, and foreign banks operating in the UK carried out by Mike Kemp, co-founder of security company Xiphos Research.
“In this day and age, financial organizations shouldn't actually be operating, utilizing, certificate instances with known cryptographic flaws,” Kemp told Motherboard in a phone interview.
In all, Kemp examined the state of the login pages for 84 sites. Out of 22 UK-owned banks, 50 percent had insecure pages. When it came to foreign banks operating in the UK, 79 percent had pages suffering from vulnerabilities. And of 37 UK building societies, 51 percent had insecure logins.
Kent conducted the research in a pretty basic way: by just pasting the respective URLs into SSLLabs, a widely-used online tool which returns an overview of the sites support for protocols, its certificate, encryption strength, and many other variables. Anything that didn't hit an "A" grade, was deemed insecure, Kemp said.
And it turns out many of the sites were subject to a wide range of problems. Eight suffered from POODLE, a vulnerability allowing an attacker to access data in an encrypted web session. Four were vulnerable to susceptible to the CRIME attack, which a hacker can deploy to hijack user sessions, and steal data.
Kemp also found 26 sites where Transport Layer Security (TLS) 1.2, a more up to date method for securing traffic, was unsupported, and 35 supported the Rivest Cipher 4 (RC4), a stream cipher which, when combined with older protocols, can be used to downgrade the encryption of traffic.
But perhaps most worryingly of all, 36 of the sites used SHA-1, a hashing function used for securing data that researchers have repeatedly warned is susceptible to attack. Google, following the lead of Microsoft and Mozilla, will soon block SHA-1 connections from its browser, ultimately deprecating the standard by July 2016.
"This is an industry sector that allegedly prides itself on its security posture."
As browser vendors quicken their SHA-1 exit, “banks should be responding in kind,” Kemp said.
For an attacker to make use of some of these attacks, they generally have to be on the same network as the target, in, say, an internet cafe.
“If you're on the same network segment as somebody who is using one of these resources, then you can potentially intercept and manipulate data in some instances,” Kemp said, who added “We're not talking trivial tasks that can be accomplished by a 14 year old.”
Kemp reported his findings to the Financial Conduct Authority (FCA), an independent body that reports to the Treasury, and which, amongst other things, ensures that “the financial industry is run with integrity.” The FCA wouldn't provide Kemp with any contacts at affected banks to pass the information onto.
So Kemp sent the data to the National Crime Agency (NCA), in the hope of getting the information to those who should see it.
An FCA spokesperson told Motherboard in an email “I'm afraid this isn’t something we can comment on.” An NCA spokesperson, meanwhile, wrote "We do not routinely confirm or deny specific communication with other organisations. We work closely with a range of partners, including those in the banking sector, sharing relevant information, guidance and assistance to help mitigate the threat posed by cyber crime."
Regardless, banks really should be bringing the security of their login pages up to scratch. In other studies, researchers have found that mobile apps used for accessing online banking can also be insecure.
“This is an industry sector that allegedly prides itself on its security posture,” Kemp added. Maybe that posture is pretty disingenuous, all things considered.