We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Online Bank Security - BROKEN !?!?!
Options

6_6_6
Posts: 65 Forumite
[FONT="]Banks [FONT="]are [/FONT]not tak[FONT="]ing[/FONT] your security Seriously[FONT="]! [/FONT][/FONT]
[FONT="] [/FONT] [FONT="]How do you fancy a hacker copying all your banking details and statements and publishing them online, [FONT="]your [/FONT]friends and enemies alike sifting through your details, [FONT="]from how much [FONT="]you[/FONT] earn[/FONT] to [FONT="]corporate secrets[/FONT]. Perhaps you’re up to no good, perhaps the husband or the wife will make that decision for you! [FONT="]Maybe [/FONT] they don't publish them, just hold you to ransom [FONT="]instead -[/FONT] Ashley Madison style![/FONT]
[FONT="][FONT="]
[/FONT][/FONT]
[FONT="][FONT="] [FONT="]V[/FONT][FONT="][FONT="][FONT="]ulnerabilities in HTTPS are arriving all the time[FONT="]. [/FONT][/FONT][/FONT][/FONT][/FONT][/FONT]
[FONT="][FONT="]http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html[/FONT][/FONT]
[FONT="][FONT="][FONT="][FONT="]http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html[/FONT][/FONT]
[/FONT]Below you will find a list of banks that offer poor internet security and leave you and your money vulnerable to attack. Banks are not supporting the latest secure methods of communication between your browsers and the website [FONT="]due to [FONT="]negligence[/FONT]. [/FONT]
[/FONT][FONT="]
[FONT="]W[/FONT]rite to your bank and complain about the poor state of the online security they are offering you.
Draw their attention to this thread, and ask what they are going to do to ensure no red or yellow warnings appear.
If your an insurance company that insures these banks, you should make it part of your policy that they remain up to date with respect to HTTPS security and stipulate perfect forward secrecy as one of your mandates, along with removal of any compromising backward compatibility for operating systems which are no longer supported, such as Microsoft[FONT="] [FONT="]W[/FONT][/FONT]indows XP.
[/FONT]
[FONT="]
[/FONT]
[FONT="]The s[FONT="]tate of [/FONT]HTTPS [FONT="]S[/FONT]ecurity
Updated Jan 2016 [/FONT]
[FONT="][/FONT]
[FONT="]The s[FONT="]tate of [/FONT]HTTPS [FONT="]S[/FONT]ecurity
Updated Jan 2016 [/FONT]
[/FONT][FONT="][FONT="][FONT="][FONT="]██ [/FONT]Atrocious[/FONT]- [/FONT][/FONT][FONT="][FONT="]suffers critical vulnerabilities, move bank accounts now. [/FONT][/FONT][FONT="][FONT="]
[/FONT][/FONT][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="]██ [/FONT][/FONT][/FONT]Terrible [/FONT]- [/FONT][/FONT][FONT="][FONT="]suffers serious vulnerabilities, write to the bank and complain. [/FONT][/FONT][FONT="][FONT="]
[/FONT][/FONT][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="]██ [/FONT]Bad[/FONT][/FONT][/FONT]- [/FONT][/FONT][/FONT][FONT="][FONT="][FONT="]Suffers [FONT="]some [/FONT][/FONT][/FONT][FONT="][FONT="][FONT="][FONT="]vulnerabilities, needs to [FONT="]improve[/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][FONT="][FONT="][FONT="][FONT="][FONT="]
[/FONT][/FONT][/FONT][/FONT][/FONT][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="]██ [/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT]Good - [/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="]Suffers no [FONT="]major [/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="]vulnerabilities[/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][FONT="]
[/FONT]
[FONT="][FONT="](A+ [/FONT][/FONT][FONT="][FONT="][FONT="]:T[/FONT])[FONT="] [FONT="]Excellent [/FONT][/FONT][/FONT][/FONT][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="]- [/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="]Scored[/FONT] highest rating on SSL labs[/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][FONT="]
[/FONT]improved [/FONT]⇑[FONT="]/ [/FONT][FONT="]deteriorated [/FONT]⇓[FONT="] / no change [/FONT]⇒
[FONT="]
[/FONT]
[FONT="]
[/FONT]
[FONT="][/FONT]
[/FONT]⇑[FONT="] First Direct[/FONT][FONT="] – [/FONT][FONT="]██ Aug 2015 [/FONT][FONT="]

https://sslanalyzer.comodoca.com/?url=www.firstdirect.com
[FONT="]https://www.ssllabs.com/ssltest/analyze.html?d=firstdirect.com[/FONT]
[/FONT]⇑ [FONT="]HSBC [/FONT][FONT="]- [/FONT][FONT="]██ [/FONT][FONT="]Aug 2015 [/FONT][FONT="][FONT="]

https://sslanalyzer.comodoca.com/?url=www.hsbc.co.uk
[FONT="]https://www.ssllabs.com/ssltest/analyze.html?d=hsbc.co.uk[/FONT]
[/FONT]⇒[FONT="] Clydesdale Bank [/FONT][FONT="]- [/FONT][FONT="]██ [/FONT][FONT="]Aug 2015[/FONT][FONT="]
https://sslanalyzer.comodoca.com/?url=bbank1.cbonline.co.uk
[FONT="]https://www.ssllabs.com/ssltest/analyze.html?d=bbank1.cbonline.co.uk
[/FONT] https://sslanalyzer.comodoca.com/?url=reporting.cbonline.co.uk
[FONT="]https://www.ssllabs.com/ssltest/analyze.html?d=reporting.cbonline.co.uk[/FONT]
[/FONT]⇒ [FONT="]American Express [/FONT][FONT="]- [/FONT][FONT="]██ [/FONT][FONT="]Aug 2015[/FONT][FONT="]
https://sslanalyzer.comodoca.com/?url=global.americanexpress.com
https://www.ssllabs.com/ssltest/analyze.html?d=global.americanexpress.com
[/FONT][FONT="]⇑ [/FONT][FONT="]PayPall [/FONT][FONT="]- [/FONT][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="]██[/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][FONT="] Aug 2015 [/FONT][FONT="][FONT="]

https://sslanalyzer.comodoca.com/?url=www.paypal.com
[FONT="]https://www.ssllabs.com/ssltest/analyze.html?d=paypal.com[/FONT]
[/FONT]⇒ [FONT="]Nation Wide [/FONT][FONT="]- [/FONT][FONT="]██ [/FONT][FONT="]Aug 2015[/FONT][FONT="]
https://sslanalyzer.comodoca.com/?url=onlinebanking.nationwide.co.uk
[FONT="]https://www.ssllabs.com/ssltest/analyze.html?d=onlinebanking.nationwide.co.uk[/FONT]
[/FONT]⇓ [FONT="]Santander [/FONT][FONT="]-[/FONT][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="][FONT="]██[/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][/FONT][FONT="] Aug 2015 [/FONT][FONT="]

https://sslanalyzer.comodoca.com/?url=retail.santander.co.uk
[FONT="]https://www.ssllabs.com/ssltest/analyze.html?d=retail.santander.co.uk[/FONT]
[/FONT][FONT="]⇑ [/FONT][FONT="]TSB [/FONT][FONT="]- [/FONT][FONT="]██ [/FONT][FONT="]Aug 2015 [/FONT][FONT="][FONT="]

https://sslanalyzer.comodoca.com/?url=online.tsb.co.uk
[FONT="]https://www.ssllabs.com/ssltest/analyze.html?d=online.tsb.co.uk[/FONT]
[/FONT]⇑[FONT="] Natwest [/FONT][FONT="]- [/FONT][FONT="]██ [/FONT][FONT="]Aug 2015 [/FONT][FONT="][FONT="]

https://sslanalyzer.comodoca.com/?url=www.nwolb.com
[FONT="]https://www.ssllabs.com/ssltest/analyze.html?d=nwolb.com[/FONT]
[/FONT]⇑ [FONT="]RBS [/FONT][FONT="]- [/FONT][FONT="]██ [/FONT][FONT="]Aug 2015 [/FONT][FONT="][FONT="]

https://sslanalyzer.comodoca.com/?url=www.rbsdigital.com
[FONT="]https://www.ssllabs.com/ssltest/analyze.html?d=rbsdigital.com[/FONT]
[/FONT]⇑[FONT="] Co-operative bank [/FONT][FONT="]- [/FONT][FONT="][FONT="][FONT="]██[/FONT][/FONT][/FONT][FONT="] Aug 2015 [/FONT][FONT="]

https://sslanalyzer.comodoca.com/?url=personal.co-operativebank.co.uk
[FONT="]https://www.ssllabs.com/ssltest/analyze.html?d=personal.co-operativebank.co.uk[/FONT]
[/FONT]⇑ [FONT="]Halifax [/FONT][FONT="]- [/FONT][FONT="]██ [/FONT][FONT="]Aug 2015 [/FONT][FONT="][FONT="]

https://sslanalyzer.comodoca.com/?url=www.halifax-online.co.uk
[FONT="]https://www.ssllabs.com/ssltest/analyze.html?d=halifax-online.co.uk[/FONT]
[/FONT]⇒ [FONT="]Yorkshire Bank [/FONT][FONT="]- [/FONT][FONT="]██ [/FONT][FONT="]Aug 2015[/FONT][FONT="]
https://sslanalyzer.comodoca.com/?url=home1.ybonline.co.uk
[FONT="]https://www.ssllabs.com/ssltest/analyze.html?d=home1.ybonline.co.uk[/FONT]
[/FONT]⇒ [FONT="]Barclays[/FONT][FONT="] - [/FONT][FONT="]██ [/FONT][FONT="]Aug 2015[/FONT][FONT="]
https://sslanalyzer.comodoca.com/?url=bank.barclays.co.uk
[FONT="]https://www.ssllabs.com/ssltest/analyze.html?d=bank.barclays.co.uk[/FONT]
[/FONT][FONT="]⇒ [/FONT][FONT="]Tesco [/FONT][FONT="]- [/FONT][FONT="]██ [/FONT][FONT="]Aug 2015 [/FONT][FONT="]
https://sslanalyzer.comodoca.com/?url=www.tescobank.com
[FONT="]https://www.ssllabs.com/ssltest/analyze.html?d=tescobank.com[/FONT]
[/FONT][FONT="]⇑ [/FONT][FONT="]LLoyds [/FONT][FONT="]- [/FONT][FONT="]██ [/FONT][FONT="]Aug 2015 [/FONT][FONT="]

https://sslanalyzer.comodoca.com/?url=online.lloydsbank.co.uk
[FONT="]https://www.ssllabs.com/ssltest/analyze.html?d=online.lloydsbank.co.uk[/FONT]
[/FONT]
[FONT="]
[/FONT]
[FONT="][/FONT]
There are various issues that have been found with all older versions of [FONT="]electronic[/FONT] communication between your internet [FONT="]browser[/FONT] and a website, which will make the communication insecure in different ways.
The criminal exploitation industry is a global multi-billion dollar business[FONT="]. [FONT="]I[/FONT][/FONT]t only takes one small hacker group to [FONT="]break [/FONT]a weak system, such as the recent Sony hacks, Heart Bleed bug, Poodle vulnerability etc. All recent news headlines you may have heard about.
It's the equivalent of having an old style key lock on your front door - it's vulnerable to bumping and various other techniques to get through it. Sure - it's secure to someone just trying the handle - but a determined person can get past it.
I could not get hold of anyone at the banks who would listen so I am warning you all. This post aims to put the issue on the radar.
However, there is very little that we, at our end, can do to protect ourselves from these issues as they have to be fixed by the banks, this is an issue which needs to be fixed in the banks computers.
We can - however - request the change to be made and take some small steps to better protect our browsing experience.
[/FONT]
[FONT="]Useful tools to protect you
( Firefox web browser only )[/FONT]
( Firefox web browser only )[/FONT]
This Firefox add-on [FONT="]tells you [/FONT]whether a websites security is good or bad.
https://addons.mozilla.org/en-US/firefox/addon/ssleuth/
[/FONT]
[FONT="]The finer Details
([FONT="] For [FONT="]N[/FONT]erds [/FONT])
[/FONT]
([FONT="] For [FONT="]N[/FONT]erds [/FONT])
[/FONT]
Basically many banking websites are vulnerable to MitM (man in the middle attacks) and general eavesdropping, more so than others because they are limiting you to connecting via arguably unnecessary weak [/FONT][FONT="][FONT="]encryption protocols[/FONT]. It’s good to know who's secure and who presents the greater risk.
If you want more clear proof. Look no further than this report https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/ssl_attacks_survey.pdf . Moves have been afoot to deprecate the kinds of encryption banks still insist on using, years ago!
[/FONT]
[FONT="]HOW to hack the Bank [/FONT]
[FONT="] Part 1 - 
Part 2 -

(Even though this video has been superseded by even more ingenious attacks on HTTPS connections, it’s a good watch to get a grasp on what’s at stake.)
[/FONT][FONT="]Hacker starts hedge fund targeting vulnerable companies
http://www.cnbc.com/id/101620847
How the Government and criminals alike can watch everything you do.

[FONT="]So much [/FONT][/FONT][FONT="]evidence of broken security, what are you waiting for ?
http://yro.slashdot.org/story/14/12/28/2054228/snowden-documents-show-how-well-nsa-codebreakers-can-pry
https://www.schneier.com/blog/archives/2014/12/new_documents_o.html[/FONT]
Collect your reward :j
V0xOT09PV1RFR0FFTUNFQkUyRURFVU5VQU9JQUNSTU9JMFIxTE9ZUllSWUJOSEtQRURTWCU=
V0xOT09PV1RFR0FFTUNFQkUyRURFVU5VQU9JQUNSTU9JMFIxTE9ZUllSWUJOSEtQRURTWCU=
0
Comments
-
It's a tough balancing act. With my company website, we decided to remove SSL3 support and RC4 support and spent weeks teaching people how to upgrade browsers and that they really need to upgrade from XP or use another browser instead of IE.
Luckily, we've got away with it more or less, but I can understand why banks, with less advanced users, may be reluctant so I suppose for them it's a risks/benefits analysis.43580 -
Any reasonably modern browser post ie v6, should support non RC4 and SSLv3 cyphers. Is that argument is a myth. In the main its down to people not knowing what they are doing when it comes to setting up HTTPS on web servers. It's the fault of the Banks IT administrators if they have left the banks vulnerable to attack.
Should in the most rare of circumstances, a users browser be so old as to not support newer encryption suites, a suitable page directing the user to update their browser is possibly the most easy thing to implement. Its unforgivable.Collect your reward :j
V0xOT09PV1RFR0FFTUNFQkUyRURFVU5VQU9JQUNSTU9JMFIxTE9ZUllSWUJOSEtQRURTWCU=0 -
I'm with you here, but as someone who has been through this, your assertion that my argument is a myth doesn't stack up with my experience over the last few weeks. Possibly because our user base is quite ignorant to software updates, and/or computers in general. We had people using IE6 and Netscape Navigator!
I ran my home server against the Qualsys SSL checker, and it says that it wouldn't be compatible with IE6 or IE8 on XP with the following ciphers:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 1024 bits (p: 128, g: 1, Ys: 128) FS 128
Not that I'm bothered as the oldest I'm using is Win7.43580 -
Its a messy game, but one that is now perhaps beside the point because windows XP reached its end of life on 8 April 2014, no more support should be given. Banks would be better off enforcing updated browsers. Since those users are now even more of a walking botnet and malware infestation, we needn't continue to support them to the detriment of the rest of the Internet!
Such scenarios should be treated as edge cases in need of strict control measures i.e. keep them OUT!
In no way should this minority be allowed to lower the security bar for the many.
On the whole, it would be more impressive for a bank to openly and actively discourage use of outdated and insecure browsers, than quietly and surreptitiously leave us open to attack. If someone let their door open on their house, it’s like saying, narrr it’s too much hassle to tell the old lady to lock it.
It is the banks responsibility to protect its customers, yet it touts the running joke that is the computer crippling Trusteer Rapport software. I have read banks in the past have small print that even goes as far as saying if you don't use it you’re no longer covered in the event of a security breach. Trusteer Rapport has been torn to shreds by a number of industry experts who demonstrate time and again glaring weakness where you would be far better served by a good HTTPS implementation and an add-on such as noScript.
Its funny because the banks could implement good HTTPS but chose to push Trusteer Rapport on their customers instead.
It comes to something when a google search enjoys an order of magnitude better HTTPS security than my own banking connection.
I should add, when I informed Santander, they have subsequently upgraded all of their HTTPS connections from what was once TLS1.0 RC4 or worse, to TLS 1.2 PFS ECDHE . Good call guys !Collect your reward :j
V0xOT09PV1RFR0FFTUNFQkUyRURFVU5VQU9JQUNSTU9JMFIxTE9ZUllSWUJOSEtQRURTWCU=0 -
It is the banks responsibility to protect its customers, yet it touts the running joke that is the computer crippling Trusteer Rapport software. Some banks small print even goes as far as saying if you don't use it you’re no longer covered in the event of a security breach.0
-
[FONT="]It’s very [/FONT][FONT="]Legalease, a side effect of legislature from your denial to use the protection measures offered to you [FONT="]being [/FONT]deemed to have breached your end of the bargain so to speak. [/FONT]I'll try to source the banks in question, but my initial alarm over this was tripped here; [FONT="]
http://www.youtube.com/watch?v=EimZQgt7WPg
[/FONT] [FONT="]So in essence, [FONT="]i[/FONT]t is important to find out if your bank, by virtue of offering Trusteer Rapport and/or other security software, is waiving responsibility for any losses incurred while using the online banking service without using it.
[FONT="]Also be aware that installing [FONT="]Trusteer means your signing up to [FONT="][FONT="]some stranger [/FONT][/FONT]having open access to your hard drive. YES you read that correctly, [FONT="][FONT="]their[/FONT] [/FONT][/FONT][/FONT][/FONT][FONT="][FONT="][FONT="][FONT="]EULA states...
[/FONT][/FONT][/FONT][/FONT][FONT="][FONT="][FONT="][FONT="]2. In addition, You authorize personnel of IBM, as Your Sponsoring Enterprise's data processor, to use the Program remotely to collect any files or other information from your computer that IBM security experts suspect may be related to malware or other malicious activity, or that may be associated with general Program malfunction. IBM does not use the Program to target collection of Your personal information. Nevertheless, the information collected could contain personally identifiable information that has been obtained by the malware without Your permission or is relevant to identifying malicious activity or addressing general Program malfunction. IBM will delete any collected information, including personal information of which we become aware, that is not relevant for the purposes described above and will retain other information only for the duration of the relevant analysis. To avoid accidentally retaining data longer than necessary, IBM reviews all retained files for relevance once every three months. [/FONT][/FONT][/FONT][/FONT]
[/FONT][/FONT][/FONT][/FONT]
Note the use of the words "any files or other information from your computer":eek: . That means that by accepting this EULA your giving IBM, and their subcontractors worldwide, permission to access anything on your computer that they think they might like to see.
The question of whether your HTTPS connection is compromised pales into insignificance if your going to leave the back door open. You install anti virus to keep this kind of crap off your machines lol The irony is strong here.Collect your reward :j
V0xOT09PV1RFR0FFTUNFQkUyRURFVU5VQU9JQUNSTU9JMFIxTE9ZUllSWUJOSEtQRURTWCU=0 -
We are not afraid.0
-
We dropped SSL 3 support at the end of last year (public sector org), following the POODLE vulnerability (although we were mitigated against it according to the SSL tests).
TLS has been out for ages.
http://en.m.wikipedia.org/wiki/Transport_Layer_Security#Web_browsersPPI success. Banding success. Double Dip PCN cancelled! South facing solar (Midlands) and battery. Savings Session supporter (is it worth it now!?)0 -
Indeed TLS has been out for ages, even less excuse for vendors not to enable TLS v1.2 or in the very least v1.1. Not v 1.0.Collect your reward :j
V0xOT09PV1RFR0FFTUNFQkUyRURFVU5VQU9JQUNSTU9JMFIxTE9ZUllSWUJOSEtQRURTWCU=0 -
Would somebody be kind enough to translate the above in to English please0
This discussion has been closed.
Confirm your email address to Create Threads and Reply

Categories
- All Categories
- 351.1K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244.1K Work, Benefits & Business
- 599K Mortgages, Homes & Bills
- 177K Life & Family
- 257.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards