back to article El Reg assesses crypto of UK banks: Who gets to wear the dunce cap?

High street banks should be exemplars of good security but many are letting the side down when it comes to following cryptographic best practice. Tests by security researcher Scott Helme and The Register showed a marked divergence in performance. We assessed the security of online login sites run by six UK high street banks …

  1. Steve 53

    Not the best of articles.

    Firstly, HSTS is not "a cryptographic technology", it's HTTP Header signalling used to tell the browser to only connect via HTTPS next time.

    Barclays domain doesn't support Forward Secrecy, which they "absolutely should". "There is no reason not to"

    Well, given CPU decrypt I would agree, but most banks will offload these to crypto cards (Generally on an ADC, perhaps with a FIPS card / NetHSM which makes PFS much less of a requirement in that the key is very well protected), and a good number of those don't support PFS ciphers. Not to mention depending on architecture lack of PFS may be very helpful for IDS type devices.

    "The most crucial thing the bank has missing is a HSTS policy which, for a secure website using HTTPS, is an absolute requirement."

    Well, it's clearly not an absolute requirement, as the site works without it. Good practice, sure.

    Not saying that the banks shouldn't up their game, but there may be perfectly good reasons not to support PFS

    1. scrubber

      Re: Not the best of articles.

      If you block port 80 does this matter?

      1. Alex Brett

        Re: Not the best of articles.

        Yes - while /you/ as the site admin might not be running a site on port 80, the person who attacks the end user can, and there browser will happily connect to it, whereas with HSTS the browser will always go to the HTTPS site and thus as well as MITMing the connection, you have to somehow get the browser to trust the certificate you present as well...

      2. Amos1

        Re: Not the best of articles.

        Blocking port 80 dies not matter to auditors. Try as you might, those "educated fellows" will still follow their checklists and ding you for it. Same as not having the "secure" flag set on cookies on HTTPS-only sites.

  2. Aladdin Sane Silver badge

    Banks websites aren't as secure as they could be

    Water is wet, bears shit in woods.

    1. Solarflare

      Re: Banks websites aren't as secure as they could be

      Alongside the pope?

      1. Anonymous Coward
        Anonymous Coward

        Re: Banks websites aren't as secure as they could be

        Alongside the pope?

        Why would the Pope need to empty his bowels in the woods, when he's got a balcony? Admittedly that might be unfortunate for those in St Peter's Square, but at least the bears would be left in peace to do what they do best.

        1. Anonymous Coward
          Anonymous Coward

          Re: Banks websites aren't as secure as they could be

          at least the bears would be left in peace to do what they do best

          On further reflection, there's better opportunities for jokes if the Pope will continue to void his fundament in an arboreal environment. Take the old "Bear & Rabbit" joke, that could be updated: A bear and the Pope are releasing their night soil in the woods one day, side by side. There is much companionable grunting, straining and farting, before relief is forthcoming. Then the bear turns to the Pope and says "Hey, Pontiff, does s*** stick to your cassock?".......

    2. Pen-y-gors Silver badge
      Headmaster

      Re: Banks websites aren't as secure as they could be

      I dunno, is water actually wet? While in liquid state, possibly, but what does 'wet' actually mean? Is water itself wet, or is the thing that comes into contact with liquid water, and retains some of it, the thing that is wet? Can liquid water technically even be wet? And is solid or gaseous water technically wet? Stick a finger in superheated steam and will it come out wet?

      Best stick to the old Pope/Catholic question in future

  3. Pen-y-gors Silver badge

    It's not a problem, it's an opportunity

    Perhaps El Reg should start running security audits professionally and charge megabucks for a job that actually only takes half an hour (like all true international consultancies) - then no need to rely on advertising income!

    1. John H Woods Silver badge

      Re: It's not a problem, it's an opportunity

      You could even outsouce some tasks to the commentards

      1. chivo243 Silver badge
        Joke

        Re: It's not a problem, it's an opportunity

        @John H Woods

        you mean like experts exchange? Where you pay the professional by the minute? Sign me up!

        1. Swarthy Silver badge
          Pint

          Re: It's not a problem, it's an opportunity

          Do you mean ExpertSexchange?

          1. Doctor Syntax Silver badge

            Re: It's not a problem, it's an opportunity

            "Do you mean ExpertSexchange?"

            Don't sign me up.

            1. Anonymous Coward
              Anonymous Coward

              Re: It's not a problem, it's an opportunity

              Don't sign me up.

              Why, are you afraid of new experiences?

            2. scrubber

              Re: It's not a problem, it's an opportunity

              Is that like my failed IT swap site computersexchange.com which got a surprising amount of traffic from Asia?

  4. Forget It
    WTF?

    Dunce Cap tip

    Isn't it security-101 to not store passwords on the server - but their hashes instead?

    How come then does the NatWest server know individual letters of my password

    when it prompts me for a random selection of them at each login?

    1. Doctor Syntax Silver badge

      Re: Dunce Cap tip

      "How come then does the NatWest server know individual letters of my password when it prompts me for a random selection of them at each login?"

      Possibly it created hashes for each of the combinations it might ask you and stored those.

      1. katrinab Silver badge

        Re: Dunce Cap tip

        "Possibly it created hashes for each of the combinations it might ask you and stored those."

        Well yes, but a brute force attack on a three letter password won't take very long, as in, it would probably take longer to display the results on the screen than it did to work it out.

    2. Anonymous Coward
      Anonymous Coward

      Re: Dunce Cap tip

      Yes and no. It's security 101 to not store passwords in plain text on a server. Using salted hashes is just one technique to do so. You can be pretty confident they're not storing them in plain text. PCI DSS is clear (hah) on the issue: "Render all passwords unreadable during transmission and storage on all system components using strong cryptography"

      However you can also be pretty confident they're not hashing them - these systems are old and would have balked at the space constraints implied by hashing + salting all the partial password combinations. They could but probably don't use a secret sharing scheme to test if the subcomponents of the password provided match the password.

      What they're probably doing is just encrypting the password. Which protects against most but not all of the same things as hashing. They're hopefully doing it in an HSM, which provides pretty robust physical protections against the password ever being retrieved.

      So, you know, don't re-use your banking passwords.

      1. heyrick Silver badge

        Re: Dunce Cap tip

        "You can be pretty confident they're not storing them in plain text."

        Oh, I can can I? Remember this is the NatWest we're talking about. Their "old" setup is possibly because nobody is brave enough to touch it, and the outsourced staff don't understand it...

        1. CustardGannet
          Facepalm

          Re: Dunce Cap tip

          I recently applied for a credit card (obviously I don't need any loan, given the whopping pay packet my employers give me (Joke Alert), but how else do you build a good credit rating for a mortgage?) from Barclaycard, who have now sent me the 'credit agreement' doc (the legal bit you sign and post back to them by snail-mail).

          Upon inspection I find this has, printed on the back, all my 'personal details' from the online aplication form : name, address, phone no (ok so far)... d.o.b. (er...), employer and gross salary (cough !), account number and sort code for my current account (choke !), and - I shit you not - the supposedly-only-known-to-me 'Security Word' that I specified.

          What a bunch of retards.

          1. Pen-y-gors Silver badge

            Re: Dunce Cap tip

            @CustardGannet

            account number and sort code for my current account (choke !)

            So, better rip the bottom half inch off your cheques every time you write one then... and NEVER ask people to pay you by bank transfer.

            The rest, you may have a point!

            1. Solarflare
            2. Doctor Syntax Silver badge

              Re: Dunce Cap tip

              "So, better rip the bottom half inch off your cheques every time you write one then... and NEVER ask people to pay you by bank transfer."

              No, I think he has a point.

              It's one thing to have that information on a cheque, it's another to combine it with a lot of other personal information such as DoB & employers. Someone intercepting the letter without that might be able to fill in the blanks from other sources but why present the whole lot on a plate?

        2. sitta_europea

          Re: Dunce Cap tip

          "... Remember this is the NatWest we're talking about. ..."

          That would be the people who told my wife "You can be sure you're on the right site because there's a little green padlock in the address bar."

          Does Natwest use DNSSEC yet? Nope... not even '-all' in the SPF record.

          laptop3:~$ >>> dig -t any natwest.co.uk

          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15118

          ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 1

          ;; OPT PSEUDOSECTION:

          ; EDNS: version: 0, flags:; udp: 4096

          ;; QUESTION SECTION:

          ;natwest.co.uk. IN ANY

          ;; ANSWER SECTION:

          natwest.co.uk. 86400 IN TXT "v=spf1 ip4:155.136.80.0/24 ~all"

          natwest.co.uk. 86400 IN A 155.136.80.213

          natwest.co.uk. 86400 IN SOA dns1.cscdns.net. hostmaster.cscdns.net. 2017090604 3600 600 604800 86400

          natwest.co.uk. 86400 IN NS dns2.cscdns.net.

          natwest.co.uk. 86400 IN NS dns1.cscdns.net.

          ;; AUTHORITY SECTION:

          natwest.co.uk. 86400 IN NS dns2.cscdns.net.

          natwest.co.uk. 86400 IN NS dns1.cscdns.net.

      2. labourer

        Re: Dunce Cap tip

        > However you can also be pretty confident they're not hashing them -

        > these systems are old and would have balked at the space constraints

        > implied by hashing + salting all the partial password combinations.

        Hopefully we can be sure they're not protecting the password by hashing the partial combinations because it's a poor idea. Trivial to recover the partial password given the hash, 24 bit exhaust at most for a three character partial.

    3. Anonymous Coward
      Anonymous Coward

      Re: Dunce Cap tip

      I have the same concerns. Banks are the only entity that asks me for the xth digit of my password/passcode, and every time I'm asked, I think, "So, you're clearly not hashing these."

      1. Alan Sharkey

        Re: Dunce Cap tip

        Both Lloyds and nationwide ask me for a password and then selected letters/numbers from my "passcode". So, assuming the password is hashed and salted, then the other one is just additional security

        Alan

        1. Ken Hagan Gold badge

          Re: Dunce Cap tip

          To enlarge on Alan's comment, where a system asks for both a complete password (which can be hashed and salted) and a few characters from a second set (which probably can't) the point of the second line of defence is that you will be asked for a different selection the next time you log in. This hardens the system against keyloggers on the customer's device because for any reasonable length of the second set, it will be quite a while before the same three are asked for.

          1. TRT Silver badge

            Re: Dunce Cap tip

            It annoys me that they ask for characters from my secret thingy, but it's the first, last and second last. The field is limited to 10 characters, so my usual three-word phrase trick often exceeds that.

            Battery Horse Staple.

            What's the final character?

            E

            Not what I have here.

            Oh, hang on, 10 characters, right? R

            Correct.

            Now if they has asked for character 10 in the first place...

            Mind you, making a deliberate mistake and being told it's wrong has some reassurance value... I always enter my PIN wrong the first time at an unfamiliar cashpoint. Just in case you know.

    4. SuccessCase

      Re: Dunce Cap tip

      First Direct phone me and start asking me my security questions to confirm who I am. My reply is always the same. "I know I can call you back, but my concern is you are showing yourself to be so incompetent as to have considered this an acceptable process in the first place. Do you think its a good idea to encourage your customers to respond with security information when a random stranger when a random stranger phones them up?"

      1. Anonymous Coward
        Anonymous Coward

        Re: Dunce Cap tip

        And I'm sure minimum wage phone drone #87676 gives you a thoroughly reasoned and well thought out reply, making the entire venture entirely worth your time.

        1. David Nash Silver badge

          Re: Dunce Cap tip

          "And I'm sure minimum wage phone drone #87676 gives you a thoroughly reasoned and well thought out reply, making the entire venture entirely worth your time."

          Actually First Direct customer service staff are excellent and always give a good service. Dates back from when they were telephone only I guess.

          No connection except as a longstanding satisfied customer. Which is annoying because we are always being exhorted by consumer groups to change our bank accounts, and other banks are pushing inducements to do so...but FD always win the awards and top the charts for good service.

      2. 0laf Silver badge
        FAIL

        Re: Dunce Cap tip

        One of the banks I've dealing with even phones you up from a mobile phone number. I've no idea if there is some business system that does this or if it's staff doing BYOD to call customers.

        Either way I'd suggest that it doesn't fill a cynical customer with joy to get a call from a random 07... number stating it's my bank and asking for security information. Then making it a PITA to call you back by hiding your contact numbers and making your contact system a Sisyphean nightmare.

        1. Doctor Syntax Silver badge

          Re: Dunce Cap tip

          " I'd suggest that it doesn't fill a cynical customer with joy to get a call from a random 07... number stating it's my bank and asking for security information."

          The really worrying thing is that they'd only persist with this if the majority of customers responded positively.

        2. Anonymous Coward
          Anonymous Coward

          Re: Dunce Cap tip

          Possibly BYOD or business provided mob.

      3. Doctor Syntax Silver badge

        Re: Dunce Cap tip

        HSBC used to do something similar when I had a business account with them. They wanted the amount of a recent transaction for me to prove who I was!

        I always told them I didn't believe they were who they said they were because I'd made it clear to my bank that I wouldn't accept such calls without a secure means of identifying themselves. If they were calling without such identification then they couldn't be my bank and I wouldn't even confirm if they'd guessed right. It was always followed up by a letter from them essentially saying how miffed they were that they hadn't been able to talk to me to sell me something.

        I suppose I could have replied by giving them some random incorrect amount. Their recognition that it was incorrect would serve to identify them but I didn't particular want to take sales calls from them so why bother?

      4. david bates

        Re: Dunce Cap tip

        HSBC played a blinder this week. Sending me a text message with a link telling me they were going to close my business account.

        Obviously I ignored it and then noticed it was legitimate next time I logged into my account - they MAY keep my account open of I update everything by next year, but tbh if they're going to pull idiot shit like that they won't get the chance to be so manganous.

  5. Halfmad

    Really odd article

    Spends longer talking about the better banks than RBS which shows up as pretty poor.

    1. rh587

      Re: Really odd article

      As context to RBS (not excuse - just context). They've doubtless been uninclined to spend money since they've spent the last 6 years arsing around thinking about spinning off 600 branches.

      After the government bailed them out, the EU deemed it "State Aid" and told RBS they needed to sell 600 branches.

      At this point, customers at the affected branches were moved onto a parallel system (they access online banking through "rbs.co.uk/englandandwales"). Initially those branches were going to be sold to Santander UK. Then that fell through, they had a think and decided to relaunch an old brand that RBS bought up years ago (Williams and Glyn), and proceeded to fuck around with that for a couple of years until last autumn when they announced that was being kicked to the kerb because "The new bank wouldn't be viable on it's own", which is a clever way of saying "We've just voted ourselves out of the EU, which means the State Aid ruling will cease to apply if we just procrastinate a bit longer until we're out".

      During this time they have repeatedly issued and cancelled new credit and debit cards as the IT department have started moving customers in and out of new systems in preparation for the split.

      It's no surprise then that RBS (And Natwest, owned by RBS Group) have some dire IT infrastructure and haven't improved - they've been bouncing between various different aborted projects for the last 6 years and probably haven't had budget for core improvements because all their resource has gone on trying to farm out a new bank.

      Though granted, none of that would prevent them from enabling HSTS on the F5/BigIP boxes that front their systems.

  6. Kevin Johnston

    Santander

    They may get good marks from this mob but from a user login viewpoint I would give them a F or lower.

    I have the misfortune to use Santander for one account and they have 7 different validation fields/flags plus unless you use a Linux PC they try to push Trusteer at you every time (unless you are willing to allow them to fill your browser with cookies, great choice there).

    I get they want to look like they care about security but it doesn't work.

    Why does logging in need more that an ID and password plus a validation code of some sort which could be a OTP sent to the registered mobile, an RSA fob or similar?

    1. IanRS

      Re: Santander

      There are worse systems. Not many, but they do exist. Does anybody know of anything worse than the HMRC website? Last time I tried to get into that it would not accept my credentials and I had to go through their weird process of identity verification based on whatever various other government departments and outside agencies (such as credit assessment companies!) knew about you. e.g. Which mobile operator did you open an account with in 2001?

    2. peterm3

      Re: Santander

      Yes Santander do seem to rely on stuff which could be keylogged to log in. To make transactions they send an SMS, which opens up another potential security loophole. A friend of mine had his mobile number ported without his permission.

    3. Anonymous Coward
      Anonymous Coward

      Re: Santander

      Not as bad as Tesco bank which for at least a year had a website that you couldn't use Chrome on, but the warning wasn't obvious at login and the page loaded. So you'd enter your password and it'd reject it even if correct, then lock your account after 3 attempts - requiring a password reset be posted out to you.

      1. Anonymous Coward
        Anonymous Coward

        Tesco online banking

        Tesco's security question is a joke. Instead of asking you for the answer to your security question, it tells you the answer then asks you if that is the correct answer. If someone that incompetent designed their login procedure, it's a miracle they're still operating.

        1. Tom -1

          Re: Tesco online banking

          Despite their current incompetence, they are marginally better than they were a decade or so ago. In those days, their credit card provided no mechanism for automatic payment of the full balance on the statement, and the only way they would provide statements was by mail to a UK address. Since I was spending about quarter of my time abroad that meant that several times a year I ended up paying only the minimum amount and getting stuck with interest on the rest. So I informed them that I was going to cease using their card unless they provided a means of having an automatic full amount payment (pretty well every other credit card supplier provided that means). They told me that they were going to provide that feature in about three months. Twelve months later they still hadn't provided it, and they wrote to me informing that my account was cancelled because I hadn't used it for a year. So instead of having a customer not using his card for a couple of years (until they did what they had promised they would do within a tenth of the time the actually took to do it) they had an ex-customer who would never use any financial service from them again.

          Given that they were so incompetent that providing the full-payment option was beyond their capability to do in a reasonable time, I don't find it at all surprising that they are incompetent at security too.

  7. TrevorH

    What happened to Nationwide?

    1. Anonymous Coward
      Anonymous Coward

      The certificate is good, the rest, not so good.

      SSL Labs

      SSL Report: onlinebanking.nationwide.co.uk (155.131.32.27)

      Assessed on: Fri, 03 Nov 2017 11:29:17 UTC | Clear cache

      Summary

      Overall Rating: C

      Certificate: 100

      Protocol Support: 95

      Key Exchange: 70

      Cipher Strength: 50

      This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

      This server uses 64-bit block cipher (3DES / DES / RC2 / IDEA) with modern protocols. Grade capped to C.

      The server does not support Forward Secrecy with the reference browsers.

      Certificate #1: RSA 2048 bits (SHA256withRSA)

      DNS CAA No

      Security Headers

      Security Report Summary

      F

      Site: https://onlinebanking.nationwide.co.uk/

      IP Address: 155.131.32.27

      Report Time: 03 Nov 2017 13:57:19 UTC

      Report Short URL: Feature disabled.

      Missing Headers (6/6 missing):

      Strict-Transport-Security

      Content-Security-Policy

      X-Frame-Options

      X-XSS-Protection

      X-Content-Type-Options

      Referrer-Policy

      1. Duncan Macdonald Silver badge

        Nationwide

        Looking at the detailed report - AES 256 encryption is used with everything that supports it (the significant exceptions were Android 2.3.7 and IE8 on XP which no sensible person should be using for online banking). TLS 1.3 is not supported but as the draft was only published in April 2017 this is not surprising. Diffie-Hellman key exchange was not used with any of the simulated browsers (RSA was used instead) so the fact that the server supports the DH key exchange does not have much impact on security.

    2. CustardGannet

      "What happened to Nationwide?"

      I believe Frank Bough blew the budget on Colombian marching powder.

      Oh that Nationwide...

    3. Anonymous Coward
      Anonymous Coward

      > What happened to Nationwide?

      They may have a weak score but they do at least use 2FA [*] rather than "please enter the 2nd, 7th and 19th characters of your password".

      [*] Although I'm now awaiting the revelation that the calculator-like gadget that reads your debit card and generates a one-time code, simply XORs your PIN with the card number so any MITM now knows your card PIN. :-(

      1. Anonymous Coward
        Anonymous Coward

        Not strictly true, you can choose a card reader or entering a password and three random digits from a secret number.

    4. HarryBl

      Indeed. They were actually the first bank to offer online services to their customers in the UK

      1. David 140

        A pedant writes... https://en.wikipedia.org/wiki/Homelink

  8. peterm3
    Thumb Down

    It pays to decide Nationwide

    What about Nationwide? They have / used to have 10 million current account customers, many of whom must be using internet banking.

  9. Anonymous Coward
    Anonymous Coward

    "we do have a number of layers protecting the website"

    Ehm, those layers should be between their front-end web server and the users' browsers. Could they explain how they deploy such layers?

    1. Steve 53

      Re: "we do have a number of layers protecting the website"

      They're probably talking about the ability to flag fraudulent transfers after the request has been made via the compromised user.

      Realistically poor SSL/TLS is a much less exploitable fraud vector than banking malware.

    2. Alistair Silver badge
      Windows

      Re: "we do have a number of layers protecting the website"

      "Could they explain how they deploy such layers?"

      Why, yes, -- those layers would be the PR department, its 11 layers deep.

      1. PNGuinn
        Facepalm

        Re: "we do have a number of layers protecting the website"

        "Why, yes, -- those layers would be the PR department, its 11 layers deep."

        Or 11 lawyers deep, Min.

    3. Loud Speaker

      Re: "we do have a number of layers protecting the website"

      I think it is a spelling correction error and should read "We do have a number of liars protecting the website". That would be more consistent with how banks protect everything else belonging to their customers.

      1. Dan 55 Silver badge

        Re: "we do have a number of layers protecting the website"

        I think really they forgot the 'w' from lawyers.

  10. omg

    Is HSTS really necessary if the site is not even listening for HTTP traffic?

    If you do your HTTP -> HTTPS redirect on a separate site then there's no way the main site can ever respond to anything on HTTP.

    1. This post has been deleted by its author

    2. Steve 53

      Yes, if you can MITM you can put a HTTP server between the customer and the bank web server, then serve a dodgy version of the site without needing certs. Not that many users look for the padlock before they provide their credentials...

  11. omg

    Shame they didn't look at third party scripts loaded by the sites. that's where most malware comes from after all. I recently noticed that Halifax's account pages try to load scripts from advertisers, even within the login page. No ads are displayed on those pages, but the tracking scripts seem to have been added to all pages by default. I logged a complaint with them but the support guy didn't really understand the issue, so I'm now looking for a new bank.

    1. Intractable Potsherd Silver badge

      Which raises a really good point - since none of the banks covered in the article have stellar internet security, which one should we use? I'm in the market for a new bank myself, and was considering Nationwide because of its customer service and not planning to shut local branches (which is one reason I'm leaving RBS), but the security report posted by an earlier commentard suggests Nationwide might be really lacking internet security.

  12. RonWheeler

    Finance departments

    Most big offices use some sort of man in the middle to ensure staff can be fired for misuse of internet, oh and to protect the users too. Suddenly doing the right thing can cause headaches.

  13. Anonymous Coward
    Anonymous Coward

    If only having a HSTS had anything to do with site security...

    You can have a grade A on both those scanners and have a website like swiss cheese full of XXE, IDOR and SQLi...

  14. Walter Bishop Silver badge
    Terminator

    Lack of support for HTTP Strict Transport Security

    "The most important security vulnerability that HSTS can fix is SSL-stripping man-in-the-middle attacks .. The user can see that the connection is insecure, but crucially there is no way of knowing whether the connection should be secure"

    "HTTPS Everywhere .. will protect you against many forms of surveillance and account hijacking, and some forms of censorship."

  15. Anonymous Coward
    Anonymous Coward

    More interestingly is to scan the major security companies!

    Symantec = D https://schd.io/43O

    Avast = B https://schd.io/Ha

    Sophos = B https://schd.io/1Zk

    McAfee = F https://schd.io/Erk

    1. Anonymous Coward
      Anonymous Coward

      Re: More interestingly is to scan the major security companies!

      I'm surprised that McAfee only got an 'F'.

      If they had been measured on the effectiveness of their antivirus products, then I would have been looking lower than 'Z'...

      1. anthonyhegedus Silver badge

        Re: More interestingly is to scan the major security companies!

        McAfee do an antivirus?

    2. This post has been deleted by a moderator

  16. simon@simonrosephotography.co.uk

    Good article. Maybe this will help them?

    I too have had concerns over the security of banking websites. I'd tested Santander with SSLLabs a while back and it scored badly. It was near impossible to get anyone at the bank to listen to me, although it does look like they are listening now as the score has improved. Conversely, I reported similar SSL vulnerabilities to my investment platform (AJ Bell) and had a phone call back almost immediately from their Security Officer thanking me for my concerns and assuring me they'd address them. They fixed the issues within a week. Kudos to them.

    So, it can be done, and HSTS is really simple to implement too.

    El Reg, maybe forward them all this article from the reknown Troy Hunt?

    https://www.troyhunt.com/the-6-step-happy-path-to-https/

    1. Doctor Syntax Silver badge

      Re: Good article. Maybe this will help them?

      "El Reg, maybe forward them all this article from the reknown Troy Hunt?"

      How many of them will even have heard of Troy Hunt?

  17. Ian Emery Silver badge

    Where are the First Direct results??

    I know they are part of HSBC, but they use a totally different system, so should be tested as a separate bank.

    As an aside, how can FD's user interface be so wonderful, and HSBC's be so crap???

    I have to use both, and REALLY wish FD accepted business accounts.

    1. omg

      Re: Where are the First Direct results??

      I don't have a First Direct account, but I can see they they load scripts from googleadservices.com and maxymiser.net on the login page. Not ideal.

      1. Anonymous Coward
        Anonymous Coward

        Re: Where are the First Direct results??

        Both of those sites are blocked by my Firewall.

        I have noticed that there are a few bastard sites won't load without them returning something.

        These are US based but I expect it to get worse.

        I don't want Adverts on my banking pages especially ones slung by Google. Google knows far too much about us already.

        1. Amos1

          Re: Where are the First Direct results??

          A fairly interesting side effect of GDPR is that many of those tracking tags that companies place on their websites do pull tracking information and that runs afoul of GDPR.

      2. Norman Nescio Silver badge

        Re: Where are the First Direct results??

        > I don't have a First Direct account, but I can see they they load scripts from googleadservices.com and maxymiser.net on the login page. Not ideal.

        Shouldn't banking sites (and indeed, any page that allows financial transactions) have zero minimal* links to third parties? I would expect all the page to be delivered over https; and the certificate for the page and all linked pages to be owned by the bank/financial institution. Anything less than that looks rather dodgy to me. How does the bank/financial institution know that the third party is not serving up malware, and who is liable if it does?

        uMatrix helps a lot in that regard.

        *I say minimal, as the frame that takes you off to Visa or Mastercard to authenticate your credit card transactions links to their infrastructure, not the retailers.

        1. Ian Emery Silver badge

          Re: Where are the First Direct results??

          The only "ads" I see on FD are those relating to FD services; Google try to force their way in everywhere, what browser are you using, because I dont have Google or maxymiser (also Google) showing when I log in.

          I block 90% of scripts using NoScript anyway.

          Cross site scripting is why I have stopped using TheBookPeople; I get XSS warnings from the credit card details page; this is inexcusable.

  18. Anonymous Coward
    Anonymous Coward

    real question - why can't they do email with PGP ?

    Is there a really good reason that none of them do business by email with PGP, but they all prefer varying degrees of home-brew, with all the failings described by the article and the respected commentariat, as above ?

    1. Anonymous Coward
      Anonymous Coward

      Re: real question - why can't they do email with PGP ?

      Because outside the geek community nobody knows what PGP is? For the matter S/MIME would be better, as banks have no issue to buy certificates, it is supported by most mail clients, unlike PGP which often need specific plug-ins.

      In my country we have "certified email" (it is a governmental standard, and mandatory for some tasks) , and it's S/MIME based, not PGP, sorry.

      Tracking PGP keys and their revoking is even worse than with a X.509 certificates.

  19. Gene Cash Silver badge

    Cookies & scripts from .ru

    After I log into my chase.com account, I get cookies and scripts from .ru sites for ads and marketing tracking.

    Nice.

  20. This post has been deleted by a moderator

    1. TRT Silver badge

      Re: much better capitalised

      Yeah, bloody nEwYork FirsT NATional HoldINg bANk pisses me off.

  21. anthonyhegedus Silver badge

    The Lloyds bank website tries to load some Flash before you log in.

    1. TRT Silver badge

      I wouldn't touch them. They're a dark horse.

  22. Tez B

    Smile please...

    Anyone have any info on Smile's performance?

    1. TRT Silver badge

      Re: Smile please...

      Yep. Just takes the one and the whole world smiles with you.

    2. Captain Badmouth
      FAIL

      Re: Smile please...

      Qualys ssl gives them an A-, securityheaders.io gives them an F!

  23. gerdesj Silver badge
    Childcatcher

    Barclays

    I'm a Barclays customer FWIW and I login to this: https://barclays.lifestylegroup.co.uk/auth

    That gets an A+ at SSL Labs and supports HSTS and PFS.

    1. BenM 29

      Re: Barclays

      Correct me if I am wrong, but lifestyle group is just an authorised MITM for many banks.

      It matters not one bit that your interface with the MITM is secure if the backhaul isn't.

    2. Amos1

      Re: Barclays

      They're looking pretty good here as well: https://observatory.mozilla.org/analyze.html?host=barclays.lifestylegroup.co.uk

  24. TRT Silver badge

    Can we have a review of Apps now? Or does reverse engineering those breach some law or other?

    1. Duncan Macdonald Silver badge
      Pint

      Apps - Security ???

      As most mobile phones are running old versions of software for which no upgrades are possible (eg my Android phone runs on 4.2.1), the platform is insecure. It does not matter how good the app is if something in the background can intercept every keystroke/finger tap. In my opinion mobile phones are unsuitable for banking. (To pay for apps on the Play Store, I use prepaid Play Store gift cards - there is no bank or credit card usage on my phone at all.)

      An app running on a PC or MAC with the latest security updates and a good antivirus package MAY be secure, however I trust Firefox with Noscript and AdBlockPlus more than an app written by a bank that probably got its code written by the lowest bidder in India.

      1. Barry Rueger Silver badge

        Re: Apps - Security ???

        Came here to make the same point. If, as I do, you do a lot of banking on your phone, you have to accept the fact that manufacturer + carrier make it likely that your device is one great, gaping security hole.

        1. Anonymous Coward
          Anonymous Coward

          Re: Apps - Security ???

          Too true.

          If anyone is running mobile banking apps on an android device that hasn't been patched (ie 100s of millions of people), then getting compromised is just a question of "when" not "if".

  25. Amos1

    I love articles like this because I work for a bank!

    The local media loves to do these types of articles and I love them for it. Why? Because they have no clue what they're doing so we always look great.

    - They never chase links so they never test our online banking systems or our online account opening sites, which are on separate servers from the brochureware home page.

    - They never check DNS configurations to see if we have CAA, SPF, DKIM, or DMARC records deployed.

    - They never check to see if we allow DNS zone transfers from arbitrary IP addresses, not only revealing systems publicly that we don;t want the world to know about but that also allows us to be used in DDoS attacks,.

    - They never check the robots.txt files to see if we're using them as a form of security through obscurity.

    - They never check email DNS records to see if we have over one million IP addresses listed in our SPF record because of Office 365 usage. Or are using +all in it

    - They never use a real website testing service like observatory.mozilla.org so The Big D does not show on sites that SSL Labs rates as an A: https://observatory.mozilla.org/analyze.html?host=santander.com

    Keep up the good work, folks!

  26. Lee D Silver badge

    If you wanna do some journalism, have a look at TPOnline (Teacher's Pensions Online, also the guardian of the "List 99" barred checks for staff).

    Everything from emailing out the private keys of client certificates in an unencrypted email (you just have to ask nicely and say it didn't work when you tried to download it), to charging £80+ for a new certificate even on renewal / replacement, to having some of the most atrocious TLS security known to man for years (they improved this year, they almost get a C on SSL Labs now!), etc. despite handling all kinds of sensitive data.

    Oh, and pretty much only works in IE, and you have to put everything into trusted zones etc. to make it work even then.

  27. Captain Badmouth
    FAIL

    The co-op

    The co-op login page gets a C on Qualys - due to it's (lack of) protocol support, and an F on security headers .io.

    Worse than smile which is internet only.

  28. Anonymous Coward
    Anonymous Coward

    Had to update my credit card details on a subscription I have which uses WorldPay ... the retailers site seemed to insist on setting up a new payment to handle a new card (in reality expiry date update) and just discovered that as a result WorldPay have emailed me with new account" info ... including a password in plaintext!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019