back to article Half of UK financial institutions vulnerable to well-known crypto flaws

Fifty per cent of UK high street financial institutions utilise weak SSL certificates on their secure authentication portals, according to a new study by Xiphos Research. An assessment of 84 UK- and foreign-owned banking institutions in November by the international information security firm, and published on Monday, found …

  1. Your alien overlord - fear me

    It always amazes me that unknown (to me anyway) 'security firms' go around 'checking' on companies security, in all probability without asking for permission first, and yet they're portrayed as the hero when there are laws to prevent 3rd parties just poking around. Why are they exempt from the law when people like me would be banged up?

    1. Chris Harden

      Two reasons:

      1) Intent

      and

      2) Qualifications

      1. Joe Harrison

        Intent doesn't always mean very much. I was shocked several years ago when a bloke got found guilty purely for editing a URL in his browser address bar because he suspected there was a security problem and then reporting it to the site owner.

        And surely by definition anyone capable of taking part in an SSL or security-related thread on El Reg is almost certainly qualified by experience? Not having a CISSP badge doesn't mean not qualified.

        1. Anonymous Coward
          Anonymous Coward

          Dan Cuthbert

          "I was shocked several years ago when a bloke got found guilty purely for editing a URL in his browser address bar because he suspected there was a security problem and then reporting it to the site owner."

          I Google'd his name. It was the Tsunami website that was a bit piss poor, run by British Telecom. He tried a directory traversal on it (e.g. http://theregister.co.uk/../. or some such), which BT logged as an attack, he'd just donated money, so it was trivial to track him down, they just pulled his address and credit card number.

          UK law defines hacking as 'unauthorized use of a computer' but the definition of how that URL is turned into a web page is a defined web standard. He followed the web standard (directory traversals are allowed) and that forms the definition of 'authorized'. But the judge was technically incompetent sadly. Easily confused by the term 'directory traversal'.

          Can you imagine trying to write a search engine in the UK? You'd be in jail for the web craw, City of London police would seize your domain for indexing copyrighted content. Linking to infringing content would be defined as "conspiracy to defraud" by Judge Evans after secretly hearing evidence without the defence presence (Anton Vickerman).

        2. charlie-charlie-tango-alpha

          "Not having a CISSP badge doesn't mean not qualified."

          On the contrary, it can mean the actor actually takes security seriously rather than being impressed by post nominal "qualifications"

          Cough "MBCS" Cough "CITP"

    2. Dan 55 Silver badge

      It's just connecting to each bank website in Firefox, seeing what the Calomel or similar plug-in says (or even Page Info if you like), and compiling a list.

      Should that be against the law now?

    3. This post has been deleted by its author

      1. This post has been deleted by its author

    4. Doctor_Wibble
      Alien

      ... and do theyt tell everyone afterwards?

      > in all probability without asking for permission first

      My question is whether they actually tell everyone they have 'probed' after they have done it, or just the ones with known vulnerabilities, or just the subset of those with vulnerabilities that they think will engage their consultancy services for apparently-urgent expensive work in the time between discovery and publication for all the script-kiddies to download.

      Hi, I'm a security researcher and I have discovered a lucrative vulnerability in your corporate structure which I am prepared to help you close for a modest fee...

      [ icon choice obvious given it's all about probing... ]

    5. Captain DaFt

      "It always amazes me that unknown (to me anyway) 'security firms' go around 'checking' on companies security, in all probability without asking for permission first"

      And this is why it's hard to have nice things.

      If they looked and found something, there's sure to be many, many more who've looked, said, "PAYDAY!" and got down to serious crime.

      They don't get in trouble until/if they're eventually caught.

      So naturally, people like you want the ones who look, find, and warn about problems arrested because then there'd be no problems, right?

  2. Sproggit

    And The Banks Don't Care

    My bank is one of those UK financial institutions that use vulnerable cryptography. I have now contacted them across three separate occasions, going back almost a year, to warn them about the vulnerabilities. I have written emails and I have telephoned their customer services line and asked to be put through to technical support. All to no avail.

    The best response I had came from a senior support supervisor, who took up my call after it was escalated from a first line specialist. After listening to me repeat my concern, their response was [and I'm paraphrasing since this was a while ago], "Look, Sir, we're very grateful that you've called and of course I'll pass the message along, but we employ top security professionals here. I know you're the customer and the customer is always supposed to be right, but what could you possibly know about cryptography - it's a very complex subject..."

    To which my response was something along the lines of,

    "Well, other than working in the field of IT Security for 20 years, other than being employed to set security policy for my employer and apart from holding a US Patent in cryptography, clearly I don't know enough to be able to call you and alert you to what I believe to be legitimate concerns in such a way that allows me to be taken seriously..."

    They still weren't interested. If there was any practical way that I could function in our society without a bank account, I wouldn't have one...

    1. Norm DePlume

      Re: And The Banks Don't Care

      I'm not sure whether they care or not. Quite possibly not. However, this may be an instance of the wishful type of thinking that goes:-

      Anyone doing that should be fully competent. Our people are doing that. Therefore our people are fully competent.

      1. Anonymous Coward
        Anonymous Coward

        Re: And The Banks Don't Care

        I think banks care about liability. If they have an insecure site but they can still blame you, and thus make you liable, when someone steals all the money from your account then they are fine with that.

    2. Doctor Syntax Silver badge

      Re: And The Banks Don't Care

      "My bank"

      Shouldn't that have been "My ex-bank"?

    3. Anonymous Coward
      Anonymous Coward

      Re: And The Banks Don't Care

      how many layers of organisation and different divisions do you think the call centre people are away from IT security in a large retail bank? there's no way the message is going to get through like that.

      unless you have a back-channel to someone who works in IT security @ your bank via personal contacts, your options are

      - assume IT security for your bank know what they are doing , are working on it, but have not been able to get it fixed yet for whatever reason. probably process, change control or politics.

      - assume they don't know what they are doing , in which case your call..

  3. Stevie

    Bah!

    Kudos for the picture.

    I can't remember my own cell phone number but the number to the Walmington on Sea church hall trips off the old brain any time I see a Dad's Army screenshot.

    Walmington on Sea 333.

    1. John Brown (no body) Silver badge

      Re: Bah!

      "Kudos for the picture.

      Dad's Army screenshot.

      Walmington on Sea 333."

      That sounds almost like it might have been a half way amusing picture to head the article instead the replacement which appears to be a single key standing proud from a sea of keys. It's almost as bad as the BBC always showing an image of an RJ45 plug for every story about computers, networking or hacking.

  4. Bawsnia2

    Guys I think we should all calm down a minute here, if you look at the report they have cut and pasted a Qualys SSL Labs score. You don't need to poke around anyone's web infrastructure. Just put the url into SSL Labs and they do it for you. By the way you should do it with any https sites you host.

    Anyway cryptography relies on the being open to be tested to death, so vulnerabilities are outed quickly. The fact that some banks are running with 3 year old vulnerabilities should be criminal.

    It is not even difficult to protect against Poodle and Crime. 3 seconds on google will tell you all you need to know.

  5. Zog_but_not_the_first
    Devil

    Bank Executive's Quandary

    Hmmmm... Spend a small portion of this big pile of cash to investigate and fix security flaws.

    Or... put it all in my pocket.

  6. Mr Flibble
    FAIL

    It's not just the financial institutions.

    3: badly broken. Vulnerable to POODLE, problems with the certificate chain, doesn't do anything newer than TLS 1.0, reported as failing to talk to some common browser/OS combinations…

    O2: much better; only minor problems here.

    (Links are to one well-known SSL testing service.)

  7. DannyJr

    It goes to show that banks have piss-poor security and hide behind draconian laws to hide their flaws. White hatters would be reluctant to report flaws knowing that British laws are crap. It reminds me of this one bloke who found a gun lying around. He picked it up and brought it to the police as a good citizen. He was charged for gun possession, was prosecuted, and convicted by a braindead jury of his peers. All because of badly written laws.

    You can bet I won't be reporting online security flaws from UK firms. They got the laws they lobbied for, and they shall get the requisite response.

  8. Sirius Lee

    It's fashionable to be a bank basher...

    Imagine you are an executive in a major bank, responsible for many billions of pounds. Sure you have one eye on your pocket but also an eye on your reputation. This is not a black and white issue. If a bank used stronger/better certificates, does that mean there will be no more hacking? Of course not.

    So its a numbers game and banks are good with numbers. A bank will now have a good idea of the type and volume of hacks to which they are exposed given their current set of technology. When a new exploit becomes available, they will be able to see the impact on claims against their systems. This information will be handed to their actuaries who will provide statistics about and forecasts of likely losses. These can then be factored into the business plan.

    Change the technology too soon and the statistics on which to base actuarial forecasts are not available. That's risky for the bank and for us. We don't want to have our accounts hacked but nor do we want the back to fail because the technology was too new to provide reliable hacking statistics.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's fashionable to be a bank basher...

      Perhaps you should ask Dido Harding about the unwisdom of trusting to "we haven't been hacked badly enough yet to bother about it".

      And this isn't New Technology - for instance the report says that more than 10% of institutions were using SSL 3, which has been obsolete for over 15 years.

  9. Anonymous Coward
    Anonymous Coward

    You might be interested to read http://www.bank-grade-security.uk/

    > This page compares the SSL security of online banking websites of British banks. SSL (or more correctly TLS) is the encryption between your web browser and the bank’s web server. It protects against others reading or changing the page (a man-in-the-middle attack).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon