back to article El Reg assesses crypto of UK banks: Who gets to wear the dunce cap?

High street banks should be exemplars of good security but many are letting the side down when it comes to following cryptographic best practice. Tests by security researcher Scott Helme and The Register showed a marked divergence in performance. We assessed the security of online login sites run by six UK high street banks …

  1. Steve 53

    Not the best of articles.

    Firstly, HSTS is not "a cryptographic technology", it's HTTP Header signalling used to tell the browser to only connect via HTTPS next time.

    Barclays domain doesn't support Forward Secrecy, which they "absolutely should". "There is no reason not to"

    Well, given CPU decrypt I would agree, but most banks will offload these to crypto cards (Generally on an ADC, perhaps with a FIPS card / NetHSM which makes PFS much less of a requirement in that the key is very well protected), and a good number of those don't support PFS ciphers. Not to mention depending on architecture lack of PFS may be very helpful for IDS type devices.

    "The most crucial thing the bank has missing is a HSTS policy which, for a secure website using HTTPS, is an absolute requirement."

    Well, it's clearly not an absolute requirement, as the site works without it. Good practice, sure.

    Not saying that the banks shouldn't up their game, but there may be perfectly good reasons not to support PFS

  2. scrubber Silver badge

    Re: Not the best of articles.

    If you block port 80 does this matter?

  3. Alex Brett

    Re: Not the best of articles.

    Yes - while /you/ as the site admin might not be running a site on port 80, the person who attacks the end user can, and there browser will happily connect to it, whereas with HSTS the browser will always go to the HTTPS site and thus as well as MITMing the connection, you have to somehow get the browser to trust the certificate you present as well...

  4. Amos1

    Re: Not the best of articles.

    Blocking port 80 dies not matter to auditors. Try as you might, those "educated fellows" will still follow their checklists and ding you for it. Same as not having the "secure" flag set on cookies on HTTPS-only sites.

  5. Aladdin Sane Silver badge

    Banks websites aren't as secure as they could be

    Water is wet, bears shit in woods.

  6. Solarflare

    Re: Banks websites aren't as secure as they could be

    Alongside the pope?

  7. Pen-y-gors Silver badge
    Headmaster

    Re: Banks websites aren't as secure as they could be

    I dunno, is water actually wet? While in liquid state, possibly, but what does 'wet' actually mean? Is water itself wet, or is the thing that comes into contact with liquid water, and retains some of it, the thing that is wet? Can liquid water technically even be wet? And is solid or gaseous water technically wet? Stick a finger in superheated steam and will it come out wet?

    Best stick to the old Pope/Catholic question in future

  8. Ledswinger Silver badge

    Re: Banks websites aren't as secure as they could be

    Alongside the pope?

    Why would the Pope need to empty his bowels in the woods, when he's got a balcony? Admittedly that might be unfortunate for those in St Peter's Square, but at least the bears would be left in peace to do what they do best.

  9. Ledswinger Silver badge

    Re: Banks websites aren't as secure as they could be

    at least the bears would be left in peace to do what they do best

    On further reflection, there's better opportunities for jokes if the Pope will continue to void his fundament in an arboreal environment. Take the old "Bear & Rabbit" joke, that could be updated: A bear and the Pope are releasing their night soil in the woods one day, side by side. There is much companionable grunting, straining and farting, before relief is forthcoming. Then the bear turns to the Pope and says "Hey, Pontiff, does s*** stick to your cassock?".......

  10. Pen-y-gors Silver badge

    It's not a problem, it's an opportunity

    Perhaps El Reg should start running security audits professionally and charge megabucks for a job that actually only takes half an hour (like all true international consultancies) - then no need to rely on advertising income!

  11. John H Woods Silver badge

    Re: It's not a problem, it's an opportunity

    You could even outsouce some tasks to the commentards

  12. chivo243 Silver badge
    Joke

    Re: It's not a problem, it's an opportunity

    @John H Woods

    you mean like experts exchange? Where you pay the professional by the minute? Sign me up!

  13. Swarthy Silver badge
    Pint

    Re: It's not a problem, it's an opportunity

    Do you mean ExpertSexchange?

  14. Doctor Syntax Silver badge

    Re: It's not a problem, it's an opportunity

    "Do you mean ExpertSexchange?"

    Don't sign me up.

  15. Anonymous Coward
    Anonymous Coward

    Re: It's not a problem, it's an opportunity

    Don't sign me up.

    Why, are you afraid of new experiences?

  16. scrubber Silver badge

    Re: It's not a problem, it's an opportunity

    Is that like my failed IT swap site computersexchange.com which got a surprising amount of traffic from Asia?

  17. Forget It
    WTF?

    Dunce Cap tip

    Isn't it security-101 to not store passwords on the server - but their hashes instead?

    How come then does the NatWest server know individual letters of my password

    when it prompts me for a random selection of them at each login?

  18. Doctor Syntax Silver badge

    Re: Dunce Cap tip

    "How come then does the NatWest server know individual letters of my password when it prompts me for a random selection of them at each login?"

    Possibly it created hashes for each of the combinations it might ask you and stored those.

  19. Anonymous Coward
    Anonymous Coward

    Re: Dunce Cap tip

    Yes and no. It's security 101 to not store passwords in plain text on a server. Using salted hashes is just one technique to do so. You can be pretty confident they're not storing them in plain text. PCI DSS is clear (hah) on the issue: "Render all passwords unreadable during transmission and storage on all system components using strong cryptography"

    However you can also be pretty confident they're not hashing them - these systems are old and would have balked at the space constraints implied by hashing + salting all the partial password combinations. They could but probably don't use a secret sharing scheme to test if the subcomponents of the password provided match the password.

    What they're probably doing is just encrypting the password. Which protects against most but not all of the same things as hashing. They're hopefully doing it in an HSM, which provides pretty robust physical protections against the password ever being retrieved.

    So, you know, don't re-use your banking passwords.

  20. Anonymous Coward
    Anonymous Coward

    Re: Dunce Cap tip

    I have the same concerns. Banks are the only entity that asks me for the xth digit of my password/passcode, and every time I'm asked, I think, "So, you're clearly not hashing these."

  21. Alan Sharkey

    Re: Dunce Cap tip

    Both Lloyds and nationwide ask me for a password and then selected letters/numbers from my "passcode". So, assuming the password is hashed and salted, then the other one is just additional security

    Alan

  22. SuccessCase

    Re: Dunce Cap tip

    First Direct phone me and start asking me my security questions to confirm who I am. My reply is always the same. "I know I can call you back, but my concern is you are showing yourself to be so incompetent as to have considered this an acceptable process in the first place. Do you think its a good idea to encourage your customers to respond with security information when a random stranger when a random stranger phones them up?"

  23. Anonymous Coward
    Anonymous Coward

    Re: Dunce Cap tip

    And I'm sure minimum wage phone drone #87676 gives you a thoroughly reasoned and well thought out reply, making the entire venture entirely worth your time.

  24. heyrick Silver badge

    Re: Dunce Cap tip

    "You can be pretty confident they're not storing them in plain text."

    Oh, I can can I? Remember this is the NatWest we're talking about. Their "old" setup is possibly because nobody is brave enough to touch it, and the outsourced staff don't understand it...

  25. CustardGannet
    Facepalm

    Re: Dunce Cap tip

    I recently applied for a credit card (obviously I don't need any loan, given the whopping pay packet my employers give me (Joke Alert), but how else do you build a good credit rating for a mortgage?) from Barclaycard, who have now sent me the 'credit agreement' doc (the legal bit you sign and post back to them by snail-mail).

    Upon inspection I find this has, printed on the back, all my 'personal details' from the online aplication form : name, address, phone no (ok so far)... d.o.b. (er...), employer and gross salary (cough !), account number and sort code for my current account (choke !), and - I shit you not - the supposedly-only-known-to-me 'Security Word' that I specified.

    What a bunch of retards.

  26. Pen-y-gors Silver badge

    Re: Dunce Cap tip

    @CustardGannet

    account number and sort code for my current account (choke !)

    So, better rip the bottom half inch off your cheques every time you write one then... and NEVER ask people to pay you by bank transfer.

    The rest, you may have a point!

  27. Solarflare
  28. 0laf Silver badge
    FAIL

    Re: Dunce Cap tip

    One of the banks I've dealing with even phones you up from a mobile phone number. I've no idea if there is some business system that does this or if it's staff doing BYOD to call customers.

    Either way I'd suggest that it doesn't fill a cynical customer with joy to get a call from a random 07... number stating it's my bank and asking for security information. Then making it a PITA to call you back by hiding your contact numbers and making your contact system a Sisyphean nightmare.

  29. David Nash Silver badge

    Re: Dunce Cap tip

    "And I'm sure minimum wage phone drone #87676 gives you a thoroughly reasoned and well thought out reply, making the entire venture entirely worth your time."

    Actually First Direct customer service staff are excellent and always give a good service. Dates back from when they were telephone only I guess.

    No connection except as a longstanding satisfied customer. Which is annoying because we are always being exhorted by consumer groups to change our bank accounts, and other banks are pushing inducements to do so...but FD always win the awards and top the charts for good service.

  30. katrinab Silver badge

    Re: Dunce Cap tip

    "Possibly it created hashes for each of the combinations it might ask you and stored those."

    Well yes, but a brute force attack on a three letter password won't take very long, as in, it would probably take longer to display the results on the screen than it did to work it out.

  31. Doctor Syntax Silver badge

    Re: Dunce Cap tip

    HSBC used to do something similar when I had a business account with them. They wanted the amount of a recent transaction for me to prove who I was!

    I always told them I didn't believe they were who they said they were because I'd made it clear to my bank that I wouldn't accept such calls without a secure means of identifying themselves. If they were calling without such identification then they couldn't be my bank and I wouldn't even confirm if they'd guessed right. It was always followed up by a letter from them essentially saying how miffed they were that they hadn't been able to talk to me to sell me something.

    I suppose I could have replied by giving them some random incorrect amount. Their recognition that it was incorrect would serve to identify them but I didn't particular want to take sales calls from them so why bother?

  32. Doctor Syntax Silver badge

    Re: Dunce Cap tip

    "So, better rip the bottom half inch off your cheques every time you write one then... and NEVER ask people to pay you by bank transfer."

    No, I think he has a point.

    It's one thing to have that information on a cheque, it's another to combine it with a lot of other personal information such as DoB & employers. Someone intercepting the letter without that might be able to fill in the blanks from other sources but why present the whole lot on a plate?

  33. Doctor Syntax Silver badge

    Re: Dunce Cap tip

    " I'd suggest that it doesn't fill a cynical customer with joy to get a call from a random 07... number stating it's my bank and asking for security information."

    The really worrying thing is that they'd only persist with this if the majority of customers responded positively.

  34. Ken Hagan Gold badge

    Re: Dunce Cap tip

    To enlarge on Alan's comment, where a system asks for both a complete password (which can be hashed and salted) and a few characters from a second set (which probably can't) the point of the second line of defence is that you will be asked for a different selection the next time you log in. This hardens the system against keyloggers on the customer's device because for any reasonable length of the second set, it will be quite a while before the same three are asked for.

  35. TRT Silver badge

    Re: Dunce Cap tip

    It annoys me that they ask for characters from my secret thingy, but it's the first, last and second last. The field is limited to 10 characters, so my usual three-word phrase trick often exceeds that.

    Battery Horse Staple.

    What's the final character?

    E

    Not what I have here.

    Oh, hang on, 10 characters, right? R

    Correct.

    Now if they has asked for character 10 in the first place...

    Mind you, making a deliberate mistake and being told it's wrong has some reassurance value... I always enter my PIN wrong the first time at an unfamiliar cashpoint. Just in case you know.

  36. david bates

    Re: Dunce Cap tip

    HSBC played a blinder this week. Sending me a text message with a link telling me they were going to close my business account.

    Obviously I ignored it and then noticed it was legitimate next time I logged into my account - they MAY keep my account open of I update everything by next year, but tbh if they're going to pull idiot shit like that they won't get the chance to be so manganous.

  37. Anonymous Coward
    Anonymous Coward

    Re: Dunce Cap tip

    Possibly BYOD or business provided mob.

  38. labourer

    Re: Dunce Cap tip

    > However you can also be pretty confident they're not hashing them -

    > these systems are old and would have balked at the space constraints

    > implied by hashing + salting all the partial password combinations.

    Hopefully we can be sure they're not protecting the password by hashing the partial combinations because it's a poor idea. Trivial to recover the partial password given the hash, 24 bit exhaust at most for a three character partial.

  39. sitta_europea

    Re: Dunce Cap tip

    "... Remember this is the NatWest we're talking about. ..."

    That would be the people who told my wife "You can be sure you're on the right site because there's a little green padlock in the address bar."

    Does Natwest use DNSSEC yet? Nope... not even '-all' in the SPF record.

    laptop3:~$ >>> dig -t any natwest.co.uk

    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15118

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:

    ; EDNS: version: 0, flags:; udp: 4096

    ;; QUESTION SECTION:

    ;natwest.co.uk. IN ANY

    ;; ANSWER SECTION:

    natwest.co.uk. 86400 IN TXT "v=spf1 ip4:155.136.80.0/24 ~all"

    natwest.co.uk. 86400 IN A 155.136.80.213

    natwest.co.uk. 86400 IN SOA dns1.cscdns.net. hostmaster.cscdns.net. 2017090604 3600 600 604800 86400

    natwest.co.uk. 86400 IN NS dns2.cscdns.net.

    natwest.co.uk. 86400 IN NS dns1.cscdns.net.

    ;; AUTHORITY SECTION:

    natwest.co.uk. 86400 IN NS dns2.cscdns.net.

    natwest.co.uk. 86400 IN NS dns1.cscdns.net.

  40. Halfmad

    Really odd article

    Spends longer talking about the better banks than RBS which shows up as pretty poor.

  41. rh587

    Re: Really odd article

    As context to RBS (not excuse - just context). They've doubtless been uninclined to spend money since they've spent the last 6 years arsing around thinking about spinning off 600 branches.

    After the government bailed them out, the EU deemed it "State Aid" and told RBS they needed to sell 600 branches.

    At this point, customers at the affected branches were moved onto a parallel system (they access online banking through "rbs.co.uk/englandandwales"). Initially those branches were going to be sold to Santander UK. Then that fell through, they had a think and decided to relaunch an old brand that RBS bought up years ago (Williams and Glyn), and proceeded to fuck around with that for a couple of years until last autumn when they announced that was being kicked to the kerb because "The new bank wouldn't be viable on it's own", which is a clever way of saying "We've just voted ourselves out of the EU, which means the State Aid ruling will cease to apply if we just procrastinate a bit longer until we're out".

    During this time they have repeatedly issued and cancelled new credit and debit cards as the IT department have started moving customers in and out of new systems in preparation for the split.

    It's no surprise then that RBS (And Natwest, owned by RBS Group) have some dire IT infrastructure and haven't improved - they've been bouncing between various different aborted projects for the last 6 years and probably haven't had budget for core improvements because all their resource has gone on trying to farm out a new bank.

    Though granted, none of that would prevent them from enabling HSTS on the F5/BigIP boxes that front their systems.

  42. Kevin Johnston Silver badge

    Santander

    They may get good marks from this mob but from a user login viewpoint I would give them a F or lower.

    I have the misfortune to use Santander for one account and they have 7 different validation fields/flags plus unless you use a Linux PC they try to push Trusteer at you every time (unless you are willing to allow them to fill your browser with cookies, great choice there).

    I get they want to look like they care about security but it doesn't work.

    Why does logging in need more that an ID and password plus a validation code of some sort which could be a OTP sent to the registered mobile, an RSA fob or similar?

  43. IanRS

    Re: Santander

    There are worse systems. Not many, but they do exist. Does anybody know of anything worse than the HMRC website? Last time I tried to get into that it would not accept my credentials and I had to go through their weird process of identity verification based on whatever various other government departments and outside agencies (such as credit assessment companies!) knew about you. e.g. Which mobile operator did you open an account with in 2001?

  44. peterm3

    Re: Santander

    Yes Santander do seem to rely on stuff which could be keylogged to log in. To make transactions they send an SMS, which opens up another potential security loophole. A friend of mine had his mobile number ported without his permission.

  45. Anonymous Coward
    Anonymous Coward

    Re: Santander

    Not as bad as Tesco bank which for at least a year had a website that you couldn't use Chrome on, but the warning wasn't obvious at login and the page loaded. So you'd enter your password and it'd reject it even if correct, then lock your account after 3 attempts - requiring a password reset be posted out to you.

  46. Anonymous Coward
    Anonymous Coward

    Tesco online banking

    Tesco's security question is a joke. Instead of asking you for the answer to your security question, it tells you the answer then asks you if that is the correct answer. If someone that incompetent designed their login procedure, it's a miracle they're still operating.

  47. Tom -1

    Re: Tesco online banking

    Despite their current incompetence, they are marginally better than they were a decade or so ago. In those days, their credit card provided no mechanism for automatic payment of the full balance on the statement, and the only way they would provide statements was by mail to a UK address. Since I was spending about quarter of my time abroad that meant that several times a year I ended up paying only the minimum amount and getting stuck with interest on the rest. So I informed them that I was going to cease using their card unless they provided a means of having an automatic full amount payment (pretty well every other credit card supplier provided that means). They told me that they were going to provide that feature in about three months. Twelve months later they still hadn't provided it, and they wrote to me informing that my account was cancelled because I hadn't used it for a year. So instead of having a customer not using his card for a couple of years (until they did what they had promised they would do within a tenth of the time the actually took to do it) they had an ex-customer who would never use any financial service from them again.

    Given that they were so incompetent that providing the full-payment option was beyond their capability to do in a reasonable time, I don't find it at all surprising that they are incompetent at security too.

  48. TrevorH

    What happened to Nationwide?

  49. Anonymous Coward
    Anonymous Coward

    The certificate is good, the rest, not so good.

    SSL Labs

    SSL Report: onlinebanking.nationwide.co.uk (155.131.32.27)

    Assessed on: Fri, 03 Nov 2017 11:29:17 UTC | Clear cache

    Summary

    Overall Rating: C

    Certificate: 100

    Protocol Support: 95

    Key Exchange: 70

    Cipher Strength: 50

    This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

    This server uses 64-bit block cipher (3DES / DES / RC2 / IDEA) with modern protocols. Grade capped to C.

    The server does not support Forward Secrecy with the reference browsers.

    Certificate #1: RSA 2048 bits (SHA256withRSA)

    DNS CAA No

    Security Headers

    Security Report Summary

    F

    Site: https://onlinebanking.nationwide.co.uk/

    IP Address: 155.131.32.27

    Report Time: 03 Nov 2017 13:57:19 UTC

    Report Short URL: Feature disabled.

    Missing Headers (6/6 missing):

    Strict-Transport-Security

    Content-Security-Policy

    X-Frame-Options

    X-XSS-Protection

    X-Content-Type-Options

    Referrer-Policy

  50. CustardGannet

    "What happened to Nationwide?"

    I believe Frank Bough blew the budget on Colombian marching powder.

    Oh that Nationwide...

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018