back to article Sainsbury's Bank web pages stuck on crappy 20th century crypto

Sainsbury's Bank website still relies on insecure cryptography protocols that more security conscious organisations have abandoned as obsolete. The UK supermarket-owned bank’s "secure" site rates an “F” in tests using the industry standard Qualys’ SSL Labs service – chiefly because of the support for protocols security experts …

  1. David Roberts
    FAIL

    I think they meant

    Multiple layers of obsolete security.

    1. Fruit and Nutcase Silver badge
      Joke

      Re: I think they meant

      "Every Little Helps"

      ah, wrong Supermarket

      1. Graham Dawson Silver badge

        Re: I think they meant

        More reasons to shop at morrisons, I guess...

    2. Infernoz Bronze badge
      FAIL

      Re: I think they meant

      Indeed and the SSL layer for the web UI is the most critical because lots of critical data could be sniffed via MitM attacks, especially logins!

  2. Necronomnomnomicon

    How slow does continuous improvement have to be before you have to stop using the word "continuous"?

    I mean, technically speaking the University of Queensland has a pile of continuously-flowing pitch, but it doesn't appear to change more than once every dozen or so years. Like Sainsbury's web crypto.

  3. james.aka.damingo
    FAIL

    Seen that before

    That response is exactly the same one I got when I raised it with them; not even possible to use their site with the latest chrome or on android/kindle-fire as it blocks the crypto.

    They suggested that I disable the security warning; not the best of ideas. Not the main reason; but I have since closed my account with them!

    >> Mines the one with the "How to Overreact guide in the pocket"

    1. Anonymous Coward
      Dead Vulture

      Re: Seen that before

      I was expecting as much when I read the update... and was more than a bit dismayed by what struck me as an appallingly mindless and naïve "update" from a technical organ as learned as Reg, and which purports to "Bite the hand that feeds it" :o(

      Did you even ask them what *EXACTLY* these "multiple layers of security" are Reg?

      In response to queries from El Reg, Sainsbury's Bank splaffed out a typically specifics-free PR response, implying that there's no cause for concern because undisclosed "multiple layers of security" make their site "safe".

      "Customers visiting the Sainsbury’s Bank website can rest assured that they are protected at all times by multiple layers of online security. We continually act to strengthen the protection of our online customer services through security improvement initiatives."

      T, FTFY

      1. teebie

        Re: Seen that before

        "more than a bit dismayed by what struck me as an appallingly mindless and naïve "update" from a technical organ as learned as Reg"

        I assumed the update was supposed to be read in a veeeery sarcastic tone of voice

    2. Dave K

      Re: Seen that before

      Yep, same with Pale Moon as well. That also blocks sites by default that use obsolete crypto algorithms.

  4. Anonymous Coward
    Anonymous Coward

    And people wonder why I don't bank online...

  5. Stoneshop
    Pirate

    “Someone there should be beaten to a pulp with a keyboard.”

    Given the mechanical properties of nearly all of today's keyboards, that will take about a 20' (43.542857 linguini) container full of them. Better change over to an industrial model, or straight to the real thing, the Model M.

    1. This post has been deleted by its author

      1. PassiveSmoking

        Re: “Someone there should be beaten to a pulp with a keyboard.”

        Unless you got blood on it. Liquid was the Model M's kryptonite.

    2. Pookietoo
      Coffee/keyboard

      Re: Model M

      I have one somewhere, if someone needs a beating - that would be the best use for the nasty clunky thing.

      1. John H Woods

        Re: Model M

        I'll pay the postage if you send it to me!

    3. el_oscuro

      Re: “Someone there should be beaten to a pulp with a keyboard.”

      I have one of those at my office. Should a scenario like Doom happen, and I have battle former humans and Imps, I'll have a decent weapon.

  6. Dan 55 Silver badge
    Mushroom

    Continuous improvement

    Yes as a matter of fact under our continuous improvement initiative we had the TLS that we haven't touched for years scheduled for improvement this very week your article came out.

  7. Lee D Silver badge

    Try TPOnline, the Teacher's Pension's website.

    It scores F-.

    1. Alan J. Wylie

      Another "F" - the UK gov's Individual Insolvency Register

      https://www.ssllabs.com/ssltest/analyze.html?d=insolvencydirect.bis.gov.uk

  8. BobChip

    Sainsbury's bank (A small bank) used to be 50% owned jointly with Lloyds (A big bank) until Sainsbury bought out Lloyds interest in January 2014. Bet Sainsbury have not upgraded any of the systems since then.

    1. Anonymous Coward
      Anonymous Coward

      Sainsbury's bank were always arrogant arsewipes

      Having worked at HBOS / LBG at the time where they started trying to assert their independence this doesn't surprise me. They were convinced they could get better deals elsewhere or easily do it all themselves are were frequently pricks.

      We weren't perfect by any means but they were convinced this whole IT lark was a piece of piss.

    2. Ken Hagan Gold badge

      Even if that is the case, it is quite a drop because Lloyds currently score an A.

      https://www.ssllabs.com/ssltest/analyze.html?d=online.lloydsbank.co.uk%2F

  9. santoy

    Tesco are not any better ....

    https://www.ssllabs.com/ssltest/analyze.html?d=tescobank.com

    1. DaLo

      EH? That report shows www.tescobank.com gets an 'A' rating. That is their banking domain.

      Without the www they get an F but that just redirects you to the more secure www.tescobank.com.

  10. Anonymous Coward
    Anonymous Coward

    At least their Entertainment site gets an A...

  11. This post has been deleted by its author

  12. Tony S
    Facepalm

    That statement made my eyes bleed

    "Customers visiting the Sainsbury’s Bank website can rest assured we don't give a toss about them that they are protected at all times by multiple layers of online security. We continually do as little as possible act to strengthen the protection of our online customer services through security improvement initiatives that we don't understand, achieve bugger all, but sound good.

    FTFY.

  13. John H Woods

    Prosecution required.

    Someone, hopefully multiple someones including the budget holders, should face internal disciplinary action for the bad state of crypto. However, the person who made this statement "Customers visiting the Sainsbury’s Bank website can rest assured that they are protected at all times by multiple layers of online security" should be prosecuted; the statement is simply false, and they have hoped to have worded it in such a manner as to attempt to escape being caught in an outright lie. But the purpose of the statement, in the context of the established facts, is to deceive. And the purpose of that deception, at this moment in time, is to falsely reassure customers that their financial details are adequately protected.

    If Sainsbury's or their PR department fancy suing me for libel, I'm happy to provide my details, and I look forward to hearing from them.

    1. TheOtherHobbes

      Re: Prosecution required.

      >Someone, hopefully multiple someones including the budget holders, should face internal disciplinary action for the bad state of crypto.

      That'll be senior management saying "What? No, that'll cost money we can't afford. It's fine as it is."

      1. ThomH

        Re: Prosecution required.

        Negligence = duty + beach + damage. Someone can sue as soon as they suffer damage. Which, even with the probable quality-of-lawyer differential, is still better protection than '90s-era HTTPS.

        1. Androgynous Cupboard Silver badge

          Re: Prosecution required.

          If I were a man of dubious character with an account there, I would be attempting to hack my own account by breaking the ciphers. Transfer money away to another account, sue Sainsbury's for letting it happen, get twice value of the transaction plus inevitably successful damages.

          Of course I am not that sort of man, nor am I foolish enough to bank with them.

        2. John H Woods

          Re: Prosecution required.

          "Negligence = duty + b[r]each + damage. Someone can sue as soon as they suffer damage" -- ThomH

          Sure, that's what's required to prosecute the guys who fsck'd up the crypto ... but making the statement isn't negligent, it's dishonest. IANAL but surely there's another offence which covers making false claims about financial services? Doesn't seem to me that it would be acceptable to imply that your customers were adequately protected when they were not. Any actual lawyers got a view on this?

    2. Francis Boyle

      No better regulation

      We hear these stories again and again because in any regulated system a culture develops of doing the the absolute minimum needed to comply with the regulations. No that might be acceptable in the exciting field of, say, stationery (sorry, David Brent) but when it comes to my money I want a proactive regulator that's prepared to continually enforce good and just not just "good enough" (which never is) practices. Of course in the current cultural/political climate I'm dreaming.

  14. Solxdi

    They still use XP

    Just as a side note, they are still using Windows XP on pc's used to service customer returns. I was shopping on Sunday and noticed the login screen of the desktop PC located at the customer service desk, clearly windows XP.

    It might be connected to a secure internal network but still not what you expect from a modern retailer.

    So no surprise regards the crap SSL.

    1. teacakes

      Re: They still use XP

      However...if it's an embedded version of XP -such as POSReady- then security updates are still actively produced, AFAIK.

      1. robidy

        Re: They still use XP

        Err, no even embedded has gone EOL (as of Jan 2016).

    2. Anonymous Coward
      Anonymous Coward

      Re: They still use XP

      Sainsbury's Bank does not necessarily mean Sainsbury's Store. Just because the Supermarket uses XP (which is perfectly valid for some use cases) does not necessarily mean their Bank uses XP.

      If Sainsburys have followed FCA and PCI guidelines then the Bank network will be separate from the rest of the group, treating the group as a third party. (I don't know if it is or not, but I know several of the other players in the same situation have entirely separate networks).

      1. <shakes head>

        Re: They still use XP

        the same PCI requirement that most of the credit card companies can't meet?

      2. Solxdi

        Re: They still use XP

        My point was - if they are still using XP in the retail stores it would suggest that compliance and security are not high on the agenda as a whole...I acknowledge that the banking arm is likely to be run on segregated hardware and software platforms ( banks did however lie about loads of shit for years and go bust so not to be trusted ) ….Still XP on a PC in a retail store which is part of the FTSE 100 !

  15. DrXym

    Rest assured nothing

    I would very much hope that banks practice security in depth and that there is more than one layer of security between someone's money and a thief.

    However that is no excuse for running outdated encryption. The fact they do throws into doubt how secure the rest of their site actually is or if there is anyone working there who has a clue what they're doing. For example if the crypto is that ancient, then what site software are they running and is it kept up to date? What separation exists between the authentication server and app server? Is there a DMZ? Is there 2-way SSL between the app server and the banking services? Are the muppets in charge of security? etc.

    Now would be a good time for them to fix things.

    1. Pookietoo
      Facepalm

      Re: Now would be a good time for them to fix things

      No, that was last week.

  16. goldcd

    No shortage of other similar examples

    My phone's with Three, and Chrome bluntly refuses to allow me to login.

    They also score an F on the SSL Server Test.

    I've been bitten by changes, missed patches etc before - but their site's been like it for months.

  17. Anonymous Coward
    Anonymous Coward

    Continuous Improvement management guide:

    1. The basic philosophy is that we can do everything cheaper if we make techies responsible.

    2. The basic trick remains to get techies to do something first and only then describe what you wanted. That way you can tell shareholders you save on quality and security. By the time you have to appoint knowledge-workers who have to accept responsibility for security and quality they find they are mainly just covering up for everybody walking all over them, but they are even more replaceable than production-workers.

    3. Since both Pol-Pot (in Kampuchea) and Hitler (in Poland) built their successes on initially removing intelligensia from society and then "just doing" there is ample evidence of its potential for success. Just make sure you are in control of who describe what happened.

  18. Anonymous Coward
    Anonymous Coward

    My bank was surprisingly proactive

    I found a similar problem with one of my bank's services and reported it to them. Surprisingly, they didn't shoot the messenger and the problem was fixed within a few weeks. AC as I don't particularly want to embarrass the bank for their previous failing.

    1. Anonymous Coward
      Anonymous Coward

      Re: My bank was surprisingly proactive

      Hardly "embarrassing" them by crediting them with handling security related feedback appropriately, is it AC? Or do you think all the cool banks will call them a swat or narc and start stealing their lunch money?

      Go on AC.. name and "shame"... I'd like to open an account there.

  19. rh587 Silver badge

    Just had a look at the RBS site.

    Their public site (rbs.co.uk) scores a C thanks to poor protocol support - they don't support better than TLS1.0 (they are at least using SHA256 certificates). This is probably because a quick check of their HTTP headers returns IIS6.0, which infers they're on Server 2003...

    Happily, their digital banking site (rbsdigital.com) does much better, scoring an A with SHA256 certs and TLS1.2.

    However, checking their headers returns BigIP - the OS for F5's load-balancing/traffic-managing/firewall range. This is not a bad thing in itself, but it makes you wonder whether they've simply stuffed a shiny new appliance in front of a creaking, archaeological dig of an environment to publicly offer good crypto whilst hiding all manner of sins within!

  20. BasicChimpTheory

    re:update

    "Our firewalls and proxies will DEFINITELY protect you from MTM attacks."

  21. Anonymous Coward
    Anonymous Coward

    Intelligent Finance (my.if.com) get an F too and I doubt they'll do anything to change that. IF are on a constant drive to annoy their customers as much as possible so they'll all leave. I only keep an old dormant account there to see how desperate they get each year for me to leave.

    I tested my own test SSL server and got a T rating! But on inspection that was down to the self-signed certificate.

  22. pewpie

    'We continually act to strengthen the protection of our online customer services through security improvement initiatives.'

    Translates to their standard reply to all customer issues. "Shut up, peon and take a look around, at what we've done your country. We do what we like."

  23. Anonymous Coward
    Boffin

    Thinking outsude the box

    Tesco and Sainsbury both have online banks and online shopping, but neither will deliver folding cash to your home along with the groceries. It's a missed opportunity!

    1. Dan 55 Silver badge

      Re: Thinking outsude the box

      It's a missed opportunity for G4S? For thieves?

  24. Anonymous Coward
    Anonymous Coward

    RC4 has been removed

    The last time I checked, they had removed RC4, but the site is still rated 'F' by Qualys.

  25. PeteA
    Facepalm

    Multiple layers of security

    We don't just use ROT-13, we use double ROT-13!

  26. Matthew Brasier

    My wife raised this with their customer support desk last year, who eventually got back to her with "Our site uses industry standard encryption" - She replied that it was industry standard in 1999, but got no reply,

  27. Doctor Syntax Silver badge

    I wish journos looking for a comment would start off along the lines of "We'll take it as read that you'll say customers' security is important to you. Given $cockup can you prove that?" and then follow up the next anodyne waffle with "That's a no, then.". And report that as "$wankers were unable to give us any meaningful reassurances.".

    In the meantime it's long overdue that banking licences were dependant on maintaining security to top standards. The regulators should run tests for against each new vulnerability disclosure that might affect the web site. Any bank found with its site not up to date with its patches would be given no more than 3 days* to fix it or the web site would have to be taken off line until remedied. This would mean that maintaining security would become an essential part of doing business, as it should be, instead of an expensive option, which it all too often seems to be.

    And while the regulators are about it, financial institutions should not be allowed to let 3rd party marketing companies to send out emails purporting to be from the institution but actually from some other domain, with out of domain links, reply-to etc, again to be policed by the regulator on pain of fines that would wipe out the marketing department's salary budget for a couple of years.

    *Possibly over generous, especially if a patch has been made available prior to disclosure.

  28. Rob Moss
    FAIL

    Awful configuration

    There are two servers in scope here. One is www.sainsburysbank.co.uk, which is used for sign-up. The other is online.sainsburysbank.co.uk, which is used for online banking.

    www.sainsburysbank.co.uk is poorly configured. Only TLS 1.0 and SSL 3.0 are supported. RC4 is supported with SSL 3.0. There is no protocol downgrade attack prevention implemented. Hitting a browser which communicates using RC4 over SSL 3.0 with a bit of injected JavaScript can reveal their logon cookie within 52 hours, on average. With enough targets to attack, you can use the normal distribution to estimate the number of attacks you'd need to make in order to guarantee stealing someone's login details.

    This however, isn't the problem. online.sainsburysbank.co.uk is vulnerable to the POODLE attack, which means that with a little bit of effort, you can steal people's authentication cookies in Starbucks. If you can't get to Starbucks, no problem! There's a flawed but not entirely unreasonable list of cipher suites available offered by the server. In reverse order. Least secure first! Pretty much everything will connect using TLS 1.0 with the TLS_RSA_WITH_RC4_128_MD5 cipher suite. Just to make things extra-porous, there's no session resumption, which makes the attack on RC4 a lot easier. It's not the worst configured TLS implementation I've ever seen, but it's not far off.

  29. Anonymous Coward
    Anonymous Coward

    So I was waiting

    for some examples of these 'security layers'...

    ...seems a bit, um, obscure.

  30. Alistair
    Windows

    *layers* -- they have *layers*

    "can rest assured that they are protected at all times by multiple layers of online security"

    So -- the website is ... an onion or an ogre, ... or perhaps a cabbage?

  31. Anonymous Coward
    Anonymous Coward

    Check out one of the largest banks in the US: KeyBank

    https://www.ssllabs.com/ssltest/analyze.html?d=key.com&latest - a big fat F - SSLv3, Poodle, RC4, DH 1024, and even a 56-bit cipher!

    TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) DH 1024 bits FS WEAK 56

    Woo hoo! Partying like it's 1990. But, hey, at least they put a SHA256 cert on it! That must be their version of multiple layers of security.

    I really like this domain they apparently host:

    156.77.68.154

    qv.ihatekey.org

  32. Sheriff
    Facepalm

    Told them so

    Only a few weeks ago, in December I emailed them because I wasn't happy that I could only use an account password of numbers and letters. Not characters

    Their reply? "Our password system is not something that is currently under review, however I'll pass your feedback on to the relevant department."

    Not really surprised by El Reg's posting today.

  33. Paul Hovnanian Silver badge

    Stuck?

    So who or what is getting them stuck? Internal IT/CIO personnel problems? The old farts can be handed a retirement package in short order. Users? Put a message on the home page to the effect that IE6 will no longer be supported. And we mean it this time.

    Or are they getting push back from various state security services? Who haven't figured out how to crack the good stuff yet.

  34. Anonymous Coward
    Anonymous Coward

    NAB gets an F and a F**k Knows

    Scanning www.nab.com.au gives a couple of F grades for nab.com.au and a B for www.nab.com.au (which is hosted on Akamai).

    Attempting to scan the internet banking login portal ib.nab.com.au gives the message "The owner of this site requested that we do not test it".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon