back to article UK banks ill-prepared for return of the rabid POODLE

The latest evolution of a high-profile security flaw potentially exposes UK banks' web site traffic to eavesdropping. The POODLE (Padding Oracle On Downgraded Legacy Encryption) security flaw first surfaced in October and was thought to affect only the obsolete - but still widely used - Secure Sockets Layer (SSL) 3.0 crypto …

  1. TheWeddingPhotographer

    Excellent work

    This is truly excellent work. I expect a lot more from the banks. I expect the banks to be at the bleeding edge of security, not in the wake, behind everyone else.

    1. Ben Tasker

      Re: Excellent work

      Yup, I said the same to Natwest when I sent them the results of a quick analysis of their Internet Banking a month or two back (vested interest, as I'm a customer).

      They were somewhat disinterested, especially given that it's not unreasonable to expect them to uphold high standards.

      1. Syntax Error

        Re: Excellent work

        You cant tell the banks anything. They know best!!

        1. Anonymous Coward
          Anonymous Coward

          Re: Excellent work

          I'd not trust the banks.

          My latest bank offers to show me my pin. I need to enter it in the online banking first, but then it shows me this.

          I'm still undecided if this is a security risk. I'll leave them if it is. Previously, the pin was not viewable by anyone, and only receivable in a tamper proof (at least gives visible results of tampering) envelope.

          I'm not being obsessed or anything, it's just I'd rather not bank with a company that allows someone to request my pin if they get hold of my card and just enter the details online for a "reminder". Or a bank that does not see the uselessness of a pin reminder that first requires me to enter my... PIN!

          1. jbuk1

            Re: Excellent work

            The pin should be salted and hashed so that it can't be reversed even by the bank.

            1. Anonymous Coward
              IT Angle

              Re: Excellent work

              It's shown on the screen. I don't care if it's salted and hashed. It's sent to a recipient a the other end of the PC/Mobile. It boggles my mind how they decided that a phone request/fax or visit to the Bank in the past was a breach of security if they suggested giving out a pin, but are happy to on the internet?

  2. cantankerous swineherd

    1. the internet is a snake pit.

    2. it can never be secured.

    3. anyone doing internet banking needs their head testing.

    1. ZSn

      Benelux banks

      Actually most places other than the UK have reasonable (or at least a lot better) online banking for example the online security is secured by a card reader for challenge/response and signing in the benelux banks for more than a decade. But then again they pay their bankers less (and perhaps more is spent on security - one can hope).

  3. This post has been deleted by its author

  4. Anonymous Coward
    Anonymous Coward

    A solution for Richard G

    RBS turning out to be technically inept? Surely not.

    But instead of trying to do their job for them (when they clearly don't care), why not use the fast account switching service to somebody who is less bad on security? If you know enough to make that a reason for moving, you'll have a view on who you might trust?

    1. RamblingRant

      Re: A solution for Richard G

      That's easier said than done.

      Purely based on a Qualys check, you'd pick Santander. Quite honestly, they would be the last bank I'd choose if security was a serious concern.

      You'll find several of my articles dotted about, on net-sec, ThreatPost, Softpedia etc.

      1. RamblingRant

        Re: A solution for Richard G

        Worth mentioning, Santander are now vulnerable to POODLE/TLS... so please ignore above comment.

  5. Ashton Black

    So, which UK bank is the most secure? The only comparison I could find was from before Poodle raised it's furry head.

    1. RamblingRant

      That's a tough one.

      You'll struggle to find any recent (or accurate) assessments, as the only people that truly know are bound by *very* tight non-disclosure agreements.

      About 12 months ago, I contacted every UK bank to ask for detailed information on how they handle passwords. Some were in plain text, others were "encrypted" but wouldn't discuss how. Of them all, First Direct (an HSBC company) came out on top. They wouldn't disclose exactly how they were stored either, but their responses to quite lengthy questions were broadly spot on... which helps instill confidence at least. Ironically, HSBC directly were one of the worst... so who knows ;)

  6. Anonymous Coward
    Anonymous Coward

    I reported issues to my bank, Barclays, last month. I never received a reply or acknowledgement.

    When I discovered just how bad their security was I started shopping round for some place better, but as this article points out, they are all just as bad. It's not the vulnerability to Poodle but a long list of stuff like a lack of support for DHE/ECDHE key exchange meaning no forward security and support for insecure ciphers like RC4.

    1. Anonymous Coward
      Anonymous Coward

      Are you surprised

      I found Amex storing key customer session data in cookies on customer machines in 2005 and tried to report it. The result was NIL. ZILCH. NADA. I got continued "be a good customer, do not be disturbed" responce until I cancelled my account. THEN and only THEN, someone from Amex security looked into it. Prior to that - "S.E.P".

      In any case - quick test on Nationwide shows TLS 1.1. My banking abroad in the wild east is at 1.1 too - it used to use client side certificates until 2005 and has been using challenge/responce since 2005.

      Amex is still ... drum roll... - 1.0 (cannot check easily if it is poodle susceptible - SSL 3.0 is disabled "in depth" in this house). This pretty much says everything there is to be said here.

    2. Primus Secundus Tertius

      Barclays in 2013 were still using Windows XP, on the machine I saw in a manager's office.

  7. teebie

    As I understand it the problem with the original POODLE is that the SSL 3.0 specification was broken - so if you are using SSL3 you are vulnerable.

    With POODLE against TLS the problem is that some companies'(*) _implementations_ of TLS were vulnerable. So, if you are using TLS it depends on who wrote the implementation whether or not you are vulnerable.

    (*)e.g. A10 and F5, both of whom released fixes very soon after - if your bank is using either company they should have applied the patches by now

  8. Primus Secundus Tertius

    Happy headlines

    "Virgin laid bare".

    As opposed to being fully clad.. Nice but naughty, Reg!

  9. Anonymous Coward


    What do the "Regulators" / BoE say? Or are they as cluless as those the purport to regulate?

  10. Intractable Potsherd

    Great Article, El Reg!

    Will you follow up on this when more information becomes available so that I can make an informed decision which bank cares enough about my money to put in proper security? It would be most appreciated!

  11. Anonymous Coward
    Anonymous Coward

    Am I right in thinking that if the man-in-the-middle refuses to provide my browser with TLS, that the connection will be made anyway?

  12. StephenD

    Updating not their thing

    This is the same RBS who helpfully tell us:

    "We've thoroughly tested the One account website to make sure you can view it with the following browsers:

    Microsoft Internet Explorer Version 5.0, 5.5 and 6.0 for PCs and 5.0 for Macs

    Netscape Navigator Version 7 for PCs and Macs."

    They then go on to provide a (broken) link to download the latest version of Netscape Navigator for those who haven't yet reached v7.

    Very helpful. You also need a 28.8k modem to access online banking, apparently.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon