Sergey Nivens - Fotolia
International security firm Xiphos Research has revealed that half of the UK’s retail banks have insecure instances of SSL, which could make it easier for cyber criminals to cause damage.
Xiphos Research looked at the SSL certificate instances associated with the secure login functions for some UK-based banks by anonymously submitting associated URLs to the SSL Labs service provided by Qualys.
The research, conducted in November 2015, revealed that 11 out of the 22 UK retail banks tested had insecure SSL instances, as did 18 out of 25 foreign banks in the UK. It also tested 37 UK building societies, with just over half found to have insecure SSL instances.
Out of a total of 84 SSL instances tested in the research, 12 of them were given an F rating – the worst possible score by SSL Labs.
Mike Kemp, co-founder of Xiphos Research, wrote in a blog post: “That’s shockingly bad when you consider that what we were concerned with was not the generic customer-facing internet sites associated with financial institutions, but the URL instances associated with their login functions. So what do we mean when we say insecure?”
“As things stand, more than 50% of banks and building societies in the UK have weak SSL implementations associated with their secure login functions – and the affected parties don’t seem to care,” said Kemp in the blog post.
“We have attempted to reach out to the FCA [Financial Conduct Authority] and, as of the date of this article, have yet to be contacted by anyone other than first line customer services staff. We have attempted to contact a number of the affected banks and building societies and have not been able to surmount customer services.”
Read more about SSL
- OpenSSL certificate verification flaw lets attackers impersonate cryptography-protected websites, email servers and virtual private networks.
- How can stealthy SSL attacks be detected and mitigated?
- Microsoft warns that a fake security certificate has been issued for the Windows Live domain that could be abused by attackers.
Kemp said Xiphos has passed details of its findings and the organisations they affect to the National Crime Agency (NCA) in the UK. “As a result, we will not be publishing who is impacted yet. This research was conducted in November 2015, and it is now January 2016. We have attempted to reach out numerous times to numerous organisations.”
One financial services security expert told Computer Weekly that this is a known problem. “I was working in security at a bank when the Heartbleed vulnerability hit – when I heard it was SSL-related, I checked all of my own banks. I found that some had out-of-date SSL technology in place.”
However, the security expert said the fact that banks have not changed this suggests it is not a high-priority problem for them. xx xxxx xxxx xxx xxx xxx xxx