Headers check
The security check website https://securityheaders.io/ gives an F for fail on the tesco bank login site https://www.tescobank.com/sss/auth#.
I suppose this is because the site is not active atm?
Tesco Bank has restricted the operations of current accounts after funds were looted from a reported 20,000 accounts. The UK bank has confirmed a fraudulent attack, which is under investigation. In the meantime it has suspended online transactions from current accounts, including contactless transactions. Customer can still …
Missing Headers
Strict-Transport-Security HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value "strict-transport-security: max-age=31536000; includeSubdomains".
Content-Security-Policy Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
Public-Key-Pins HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
X-Frame-Options X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "x-frame-options: SAMEORIGIN".
X-XSS-Protection X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block".
X-Content-Type-Options X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".
A downvote for some reason. I see HSBC gets an F too.
When I last looked they all did a pretty poor job of using the tools/techniques available. Granted I was looking at their apps, but the situation looked more or less the same for their online banking login pages.
Iornically enough, Tesco bank's holier-than-thou stance on security in one area was what prompted me to have a quick gander
Interesting tests, Ben. My immediate response was that the Barclay's app gets a bonus star for not working at all... no? I realise this makes it harder to test the other controls but I would never usually trust an app on a rooted device as I would assume sandbox/walled garden integrity is compromised anyway.
> My immediate response was that the Barclay's app gets a bonus star for not working at all... no?
I did think about that, but decided against. It's more than possible the failure to run was something I did (or didn't) think of, so probably shouldn't give them an additional point (which might be misleading) just in case the app is actually swiss cheese in reality. Given the much wider range of permissions their app asks for, I figured it was better to err on the side of caution
The trouble with all this SSL mumbo-jumbo is that it just makes things more likely to break. Foillowing Globalsign's accidental revocation problems I still can't get to many sites for example wikipedia - certificate pinning won't let me click "yes I understand this certificate is technically invalid but I will take the risk".
Public-Key-Pins HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
You better make damn' sure you get this right, first time, and have good, bullet-proof processes for updating your cert chain if you do this.
Unless you fancy locking out The Internet from accessing your site.
> I can promise you that none of these missing headers resulted in the funds of 20k customer accounts growing feet and walking away...
Agreed. It's much more likely that someone gained access to their internal systems (whether that's an internal job or otherwise)
>Or that any missing headers in a web server response ever resulted in something similar.
On this scale? Probably not.
It's certainly feasible on a smaller scale though. Cert authorities have been compromised in the past, and likely will be again. The authentication method LetsEncrypt uses when requesting a cert is known to be vulnerable to DNS poisoning, so there's a potential avenue to obtaining a trusted-but-fraudulent certificate there too.
What's the defence against an incorrectly issued, publicly trusted certificate?
Certificate pinning. Which none of the buggers is using. As mentioned earlier in the thread, configuring it isn't without it's risks, but it's just a case of needing careful management.
Incidentally, that LetsEncrypt issue I mentioned, can be mitigated by DNSSEC, which, again, none of the buggers is using.
Given that banks are "trusted" to hold our money, you'd think the bar would be somewhat higher for what they consider the bare minimum.
Personally, I think it'd be better if browsers got their act together and implemented support for DANE, but that's a whole other topic (and would require the banks to set up DNSSEC in any case).
Cert pinning isn't even possible with all setups. Like if you have a (gasp!) proper setup with the certs not existing outside HSMs, possibly acting as SSL accelerators in front of the actual web servers. If you have more than one of those and are actually trying to keep your SSL certs from growing legs and walking away by keeping them in the HSMs which generated them, then you might very well end up with the same web server being presented with different, but equally valid, SSL certs.
Is this different in nature from what has gone before? This is a mass random ability to extract cash from a huge number of accounts. This is not some jerk clicking on a dodgy email. Is it a zero day on the 2 factor authentication system? Are all the affected accounts accessed by mobile?
The frustrating thing is that we will never be told the detail. Whistleblowers blow, stop sucking.
This post has been deleted by its author
A lot of the accounts are people who put £3000 in to get the 3% interest and don't use it as their main account. They say that they've never used the debit card, and I would imagine they don't use the mobile app for something they are using as a long-term savings account.
Virgin money has been having trouble this morning and Newcastle Building Society are still offline as far as I can tell, intermittently saying the site is undergoing maintenance but mostly just spinning the cursor. It could, of course, simply be that everyone is logging in to check their money is still there...
If its an inside job - then the Tesco Bank software was developed (and supported?) here: http://www.tescobengaluru.com/