Online Bank Security - BROKEN !?!?!

[Deleted User]

ceredigion wrote: »

Would somebody be kind enough to translate the above in to English please

Sure. Imagine this. Your online banking (and all your money) is in the middle of a field. You've got a big spiky electric fence around it to keep it safe, and you also have one security guard.

There's a big gate at the front, for you to get in and out. Over the other side of the field, there's also a small rabbit hole that someone could squeeze through if they knew it was there, had the right tools, and could be bothered.

But you've only got ONE security guard.

This conversation is all about where to put the security guard, and how while it's impossible to cover ALL bases, online security is all about covering the ones that are most likely to be compromised if not protected.

ceredigion

billbennett wrote: »

Sure. Imagine this. Your online banking (and all your money) is in the middle of a field. You've got a big spiky electric fence around it to keep it safe, and you also have one security guard.

There's a big gate at the front, for you to get in and out. Over the other side of the field, there's also a small rabbit hole that someone could squeeze through if they knew it was there, had the right tools, and could be bothered.

But you've only got ONE security guard.

This conversation is all about where to put the security guard, and how while it's impossible to cover ALL bases, online security is all about covering the ones that are most likely to be compromised if not protected.

Thanks for that, you put the security guard on the gate. then an insurance policy in place. Ahhh hang on

6_6_6

The devil is in the detail, in a nutshell, the side effect of crap bank security, is you have your money stolen, perhaps transferred around or plastered on Facebook etc.

So the bank you chose determines how vulnerable you are to having your accounts screwed with.

Archi_Bald

Why do you keep telling us? Go tell the banks.

6_6_6

I have, and only one out of 7 listened. I named the one that listened, Santander. Even though the response does not indicate what they did, I can confirm that the website was subsequently changed and is no longer negotiating with TLS 1.0. It is now TLS 1.2 with ECDHE enabled ciphers inclusive of perfect forward secrecy. Result!



Guess what First direct said, (via multiple contact avenues)



"Err sorry sir, do you have an account with us?"
"I'm trying to explain you have a security weakness in your website implementation, could you put me though to the right department? thank you."
"Sorry sir, if you don't bank with us, we will have to end the phone call"

Funny thing is, I do bank with them and one of those avenues was private online messaging, even then It has taken months to get though to someone. The response to my reasonably detailed breakdown of the issue is poor. So much for the #1 bank. The letter entirely misses the target of the attack and fails to acknowledge the tokenizing element is worthless once MitM has been established due to the one time implementation being at the start of the session, there after your fully authenticated for all activities.

Within the letter I received it says "We're confident that whilst it may be possible for someone to hack into our top tier" . See, all it takes is few changes within the server config files to distance you form this issue, the greater concern was that they seem to be under a false impression about there own implementation.

However, its not just my problem, its our problem and the more who realise this and 'join in' making a noise, customers might just get a result.

Archi_Bald

You obviously don't have a convincing case, otherwise they would all bite your arm off.

BTW, notice my teflon shoulders. I won't be joining anything.

pete-20-11

Tesco Bank score an F ... That needs some improvement!!!

https://www.ssllabs.com/ssltest/analyze.html?d=tescobank.com&hideResults=on

This server is vulnerable to the POODLE attack against TLS servers. Patching required. Grade set to F.
Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
This site is intolerant to newer protocol versions, which might cause connection failures.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
There is no support for secure renegotiation.
The server does not support Forward Secrecy with the reference browsers.


Halifax and TSB needs some work (both scoring a C on the same site). Nationwide score a B, not too bad.

6_6_6

Archi_Bald wrote: »

You obviously don't have a convincing case, otherwise they would all bite your arm off.

BTW, notice my teflon shoulders. I won't be joining anything.

How is poor website security not a convincing case ? Are you conceding that all companies operate within the best interests of their customers, always listening, always understanding ?

Armorica

Isn't First Direct basically the same as the HSBC onling banking? Which means that for any transactions, you need third-factor authentication as well, not just logging in.

fiesta04

Completely lost on all this, hope my £72/11/6d will be safe!!


F4