back to article Bacs corporate website still runs obsolete crypto

UK banking organisation Bacs is running a cryptographically obsolete website despite telling everyone else to upgrade before a June deadline. Earlier this week Bacs reminded UK businesses to update their systems and adopt SHA-2 before mid-June in order to avoid losing access to vital payment and money transfer services. …

  1. Anonymous Coward
    Anonymous Coward

    Government is good at this too

    The not-so-aptly named gets an "F" too.

  2. Anonymous Coward
    Anonymous Coward and still not great

    Looks like these 2 are on Server 2012 R2 that has not been rebooted since early January so missing out on 2 patch Tuesdays from Microsoft.

    They've also implemented a vulnerable cipher or 5 using a weak implementation of Diffie-Hellman...looking like some out of the box work...hope the banking system isn't based on out of the box configuration of Windows Servers...

    Goodness only knows if/how the front end load balancer/firewall has been configured after it was taken out of the cardboard box and polystyrene.

  3. Captain Badmouth

    Bacs to the wall.

    " Don't do as I do, do as I say."

  4. Lee D Silver badge

    I'll say it again:

    Nothing quite beats the Teacher's Pensions Online website:

    It basically ranks F-, and fails in every possible way. And you're supposed to use that to generate client-side certificates that make / take payments from people's pensions.

    But, hell, last time I caused a fuss, they just emailled me a .pfx with the private key anyway.

    1. Captain Badmouth


      I have relatives who are in the teaching profession, I shall acquaint them with your findings.

      Have an upvote and a pint.

      Just had my bargain fri. pm. wetherspoons 8oz sirloin and red wine.

    2. robidy

      The tponline certificateis a Crapita PLC EV to be fair it could have been significantly worse.

      A quick check says it's a close competitor for the top 5, they've hidden the web server from SSLLabs check but it still appears to leak uptime and is giving the look of IIS so may not have been patched since Jan 2016. You can't really be sure on this though as it looks like someone did more than take the firewall out of it's box and packing.

      It is however missing any forward secrecy and whilst they have managed to install the correct server certificate, they forgot to follow the guide for installing the intermediate cert that came with it so an epic fail.

  5. Anonymous Coward
    Anonymous Coward

    It's not just them making it bad

    The backend systems that companies have been using for yonks still can't be upgraded if you go via the banks. I chased HSBC up every other week from June 2015 to Jan 2016 and they still wouldn't sell me the software or let me go direct to bottom line saying they were OK for us to carry on using XP machines to submit bacs payments via bacstel IP! Bloody sham or pissup in brewery is more organised than this lot! Just glad I don't ever have to deal with the turd piles again..

    Bottom line wanted to sell the company the software, they wanted to buy it, Hsbc said they needed to buy thru them. Try to find someone in Hsbc to sell or give it to you... More chance of winning the euro and national lotto in the same week...

    1. Jason 24

      Re: It's not just them making it bad

      Different experience to me, though we have Barclays, Bottom Line have been pursuing us relentlessly to upgrade ePay to the newest version. As far as I can it's exactly the same software with the old cipher suites removed and new ones added, yet they want £2k+ to do the upgrade.

      1. Danny 14 Silver badge

        Re: It's not just them making it bad

        Our bacstel via fundtech has been running on w7 for years. The sage plugin is 2k12 too. Seems you are getting a rough deal.

        1. Anonymous Coward
          Anonymous Coward

          Re: It's not just them making it bad

          I hear rumours that the fund tech migrations were somewhat of a customer re-input rather than a migration and their previous systems had some quite serious mis-givings, that make me wonder how they managed to get BACS approved in the first place...oh hang on were taking about BACS approval, stupid me!

  6. Captain Badmouth


    get an F too.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nationwide

      I hear Nationwide are offering £50,000 for a full time consultant to look after certificates and keys and possibly some staff too (I assume this is digital security keys and not a consultant that is managing door keys and first aid qualifications...though someone in this role would likely be aware of their own level of incompetence so be less dangerous over all).

  7. MtK


    Unfortunately the website that users log in to for downloading reports also gets an F:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019