I think they meant
Multiple layers of obsolete security.
Sainsbury's Bank website still relies on insecure cryptography protocols that more security conscious organisations have abandoned as obsolete. The UK supermarket-owned bank’s "secure" site rates an “F” in tests using the industry standard Qualys’ SSL Labs service – chiefly because of the support for protocols security experts …
I mean, technically speaking the University of Queensland has a pile of continuously-flowing pitch, but it doesn't appear to change more than once every dozen or so years. Like Sainsbury's web crypto.
That response is exactly the same one I got when I raised it with them; not even possible to use their site with the latest chrome or on android/kindle-fire as it blocks the crypto.
They suggested that I disable the security warning; not the best of ideas. Not the main reason; but I have since closed my account with them!
>> Mines the one with the "How to Overreact guide in the pocket"
I was expecting as much when I read the update... and was more than a bit dismayed by what struck me as an appallingly mindless and naïve "update" from a technical organ as learned as Reg, and which purports to "Bite the hand that feeds it" :o(
Did you even ask them what *EXACTLY* these "multiple layers of security" are Reg?
In response to queries from El Reg, Sainsbury's Bank splaffed out a typically specifics-free PR response, implying that there's no cause for concern because undisclosed "multiple layers of security" make their site "safe".
"Customers visiting the Sainsbury’s Bank website can rest assured that they are protected at all times by multiple layers of online security. We continually act to strengthen the protection of our online customer services through security improvement initiatives."
T, FTFY
This post has been deleted by its author
Having worked at HBOS / LBG at the time where they started trying to assert their independence this doesn't surprise me. They were convinced they could get better deals elsewhere or easily do it all themselves are were frequently pricks.
We weren't perfect by any means but they were convinced this whole IT lark was a piece of piss.
This post has been deleted by its author
"Customers visiting the Sainsbury’s Bank website can rest assured we don't give a toss about them that they are protected at all times by multiple layers of online security. We continually do as little as possible act to strengthen the protection of our online customer services through security improvement initiatives that we don't understand, achieve bugger all, but sound good.
FTFY.
Someone, hopefully multiple someones including the budget holders, should face internal disciplinary action for the bad state of crypto. However, the person who made this statement "Customers visiting the Sainsbury’s Bank website can rest assured that they are protected at all times by multiple layers of online security" should be prosecuted; the statement is simply false, and they have hoped to have worded it in such a manner as to attempt to escape being caught in an outright lie. But the purpose of the statement, in the context of the established facts, is to deceive. And the purpose of that deception, at this moment in time, is to falsely reassure customers that their financial details are adequately protected.
If Sainsbury's or their PR department fancy suing me for libel, I'm happy to provide my details, and I look forward to hearing from them.
If I were a man of dubious character with an account there, I would be attempting to hack my own account by breaking the ciphers. Transfer money away to another account, sue Sainsbury's for letting it happen, get twice value of the transaction plus inevitably successful damages.
Of course I am not that sort of man, nor am I foolish enough to bank with them.
"Negligence = duty + b[r]each + damage. Someone can sue as soon as they suffer damage" -- ThomH
Sure, that's what's required to prosecute the guys who fsck'd up the crypto ... but making the statement isn't negligent, it's dishonest. IANAL but surely there's another offence which covers making false claims about financial services? Doesn't seem to me that it would be acceptable to imply that your customers were adequately protected when they were not. Any actual lawyers got a view on this?
We hear these stories again and again because in any regulated system a culture develops of doing the the absolute minimum needed to comply with the regulations. No that might be acceptable in the exciting field of, say, stationery (sorry, David Brent) but when it comes to my money I want a proactive regulator that's prepared to continually enforce good and just not just "good enough" (which never is) practices. Of course in the current cultural/political climate I'm dreaming.
Just as a side note, they are still using Windows XP on pc's used to service customer returns. I was shopping on Sunday and noticed the login screen of the desktop PC located at the customer service desk, clearly windows XP.
It might be connected to a secure internal network but still not what you expect from a modern retailer.
So no surprise regards the crap SSL.
Sainsbury's Bank does not necessarily mean Sainsbury's Store. Just because the Supermarket uses XP (which is perfectly valid for some use cases) does not necessarily mean their Bank uses XP.
If Sainsburys have followed FCA and PCI guidelines then the Bank network will be separate from the rest of the group, treating the group as a third party. (I don't know if it is or not, but I know several of the other players in the same situation have entirely separate networks).
My point was - if they are still using XP in the retail stores it would suggest that compliance and security are not high on the agenda as a whole...I acknowledge that the banking arm is likely to be run on segregated hardware and software platforms ( banks did however lie about loads of shit for years and go bust so not to be trusted ) ….Still XP on a PC in a retail store which is part of the FTSE 100 !
I would very much hope that banks practice security in depth and that there is more than one layer of security between someone's money and a thief.
However that is no excuse for running outdated encryption. The fact they do throws into doubt how secure the rest of their site actually is or if there is anyone working there who has a clue what they're doing. For example if the crypto is that ancient, then what site software are they running and is it kept up to date? What separation exists between the authentication server and app server? Is there a DMZ? Is there 2-way SSL between the app server and the banking services? Are the muppets in charge of security? etc.
Now would be a good time for them to fix things.
Continuous Improvement management guide:
1. The basic philosophy is that we can do everything cheaper if we make techies responsible.
2. The basic trick remains to get techies to do something first and only then describe what you wanted. That way you can tell shareholders you save on quality and security. By the time you have to appoint knowledge-workers who have to accept responsibility for security and quality they find they are mainly just covering up for everybody walking all over them, but they are even more replaceable than production-workers.
3. Since both Pol-Pot (in Kampuchea) and Hitler (in Poland) built their successes on initially removing intelligensia from society and then "just doing" there is ample evidence of its potential for success. Just make sure you are in control of who describe what happened.
I found a similar problem with one of my bank's services and reported it to them. Surprisingly, they didn't shoot the messenger and the problem was fixed within a few weeks. AC as I don't particularly want to embarrass the bank for their previous failing.
Hardly "embarrassing" them by crediting them with handling security related feedback appropriately, is it AC? Or do you think all the cool banks will call them a swat or narc and start stealing their lunch money?
Go on AC.. name and "shame"... I'd like to open an account there.
Just had a look at the RBS site.
Their public site (rbs.co.uk) scores a C thanks to poor protocol support - they don't support better than TLS1.0 (they are at least using SHA256 certificates). This is probably because a quick check of their HTTP headers returns IIS6.0, which infers they're on Server 2003...
Happily, their digital banking site (rbsdigital.com) does much better, scoring an A with SHA256 certs and TLS1.2.
However, checking their headers returns BigIP - the OS for F5's load-balancing/traffic-managing/firewall range. This is not a bad thing in itself, but it makes you wonder whether they've simply stuffed a shiny new appliance in front of a creaking, archaeological dig of an environment to publicly offer good crypto whilst hiding all manner of sins within!
Intelligent Finance (my.if.com) get an F too and I doubt they'll do anything to change that. IF are on a constant drive to annoy their customers as much as possible so they'll all leave. I only keep an old dormant account there to see how desperate they get each year for me to leave.
I tested my own test SSL server and got a T rating! But on inspection that was down to the self-signed certificate.
I wish journos looking for a comment would start off along the lines of "We'll take it as read that you'll say customers' security is important to you. Given $cockup can you prove that?" and then follow up the next anodyne waffle with "That's a no, then.". And report that as "$wankers were unable to give us any meaningful reassurances.".
In the meantime it's long overdue that banking licences were dependant on maintaining security to top standards. The regulators should run tests for against each new vulnerability disclosure that might affect the web site. Any bank found with its site not up to date with its patches would be given no more than 3 days* to fix it or the web site would have to be taken off line until remedied. This would mean that maintaining security would become an essential part of doing business, as it should be, instead of an expensive option, which it all too often seems to be.
And while the regulators are about it, financial institutions should not be allowed to let 3rd party marketing companies to send out emails purporting to be from the institution but actually from some other domain, with out of domain links, reply-to etc, again to be policed by the regulator on pain of fines that would wipe out the marketing department's salary budget for a couple of years.
*Possibly over generous, especially if a patch has been made available prior to disclosure.
There are two servers in scope here. One is www.sainsburysbank.co.uk, which is used for sign-up. The other is online.sainsburysbank.co.uk, which is used for online banking.
www.sainsburysbank.co.uk is poorly configured. Only TLS 1.0 and SSL 3.0 are supported. RC4 is supported with SSL 3.0. There is no protocol downgrade attack prevention implemented. Hitting a browser which communicates using RC4 over SSL 3.0 with a bit of injected JavaScript can reveal their logon cookie within 52 hours, on average. With enough targets to attack, you can use the normal distribution to estimate the number of attacks you'd need to make in order to guarantee stealing someone's login details.
This however, isn't the problem. online.sainsburysbank.co.uk is vulnerable to the POODLE attack, which means that with a little bit of effort, you can steal people's authentication cookies in Starbucks. If you can't get to Starbucks, no problem! There's a flawed but not entirely unreasonable list of cipher suites available offered by the server. In reverse order. Least secure first! Pretty much everything will connect using TLS 1.0 with the TLS_RSA_WITH_RC4_128_MD5 cipher suite. Just to make things extra-porous, there's no session resumption, which makes the attack on RC4 a lot easier. It's not the worst configured TLS implementation I've ever seen, but it's not far off.
https://www.ssllabs.com/ssltest/analyze.html?d=key.com&latest - a big fat F - SSLv3, Poodle, RC4, DH 1024, and even a 56-bit cipher!
TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) DH 1024 bits FS WEAK 56
Woo hoo! Partying like it's 1990. But, hey, at least they put a SHA256 cert on it! That must be their version of multiple layers of security.
I really like this domain they apparently host:
156.77.68.154
qv.ihatekey.org
Only a few weeks ago, in December I emailed them because I wasn't happy that I could only use an account password of numbers and letters. Not characters
Their reply? "Our password system is not something that is currently under review, however I'll pass your feedback on to the relevant department."
Not really surprised by El Reg's posting today.
So who or what is getting them stuck? Internal IT/CIO personnel problems? The old farts can be handed a retirement package in short order. Users? Put a message on the home page to the effect that IE6 will no longer be supported. And we mean it this time.
Or are they getting push back from various state security services? Who haven't figured out how to crack the good stuff yet.
Scanning www.nab.com.au gives a couple of F grades for nab.com.au and a B for www.nab.com.au (which is hosted on Akamai).
Attempting to scan the internet banking login portal ib.nab.com.au gives the message "The owner of this site requested that we do not test it".