back to article Does UK high street banks' crappy crypto actually matter?

The Register's recent story about the failure of most UK high street banks to follow web security best practices has provoked a lively debate among security experts. Tests of six banks revealed sketchy support for HTTP Strict Transport Security (HSTS), a cryptographic technology introduced in October 2012 and designed to …

  1. iron Silver badge

    "Customers not being able to access online banking because the bank stubbornly insists on strong crypto is a far bigger concern than the crypto being broken,"

    I could not disagree more vehemently. Crooks being able to steal MY money from the bank because some clueless user is still using IE6 and the bank want to be compatible is completely unacceptable. Online banking is a bonus, having your money secure trumps that since you can always phone, visit a branch or use an ATM.

    1. Alister Silver badge

      @iron

      Crooks being able to steal MY money from the bank because some clueless user is still using IE6 and the bank want to be compatible is completely unacceptable.

      That's a nonsensical strawman.

      If you use the latest and greatest browser, then your connection will use the highest available encryption, so is not at risk.

      If the bank / business also allows connections using weaker encryption for people with older browsers, that doesn't compromise your connection.

      1. Ben Tasker Silver badge

        If you use the latest and greatest browser, then your connection will use the highest available encryption, so is not at risk.

        If the bank / business also allows connections using weaker encryption for people with older browsers, that doesn't compromise your connection.

        To be fair, as noted in the previous article, the highest available encryption available from some of the banks is actually quite low/old (with some not even have PFS).

        But, as the current article notes, crooks don't generally both trying to attack your connection to the bank. Far easier to either deploy malware or use traditional phishing tactics.

        As we continue to secure connections, those routes are only going to become more popular too. You only really need a low(ish) bar on the connection itself to make these the more lucrative and desirable routes, and that bar is already in place.

      2. lglethal Silver badge
        Go

        Hang on. I thought from the original Report they were saying that the Banks hadnt implemented the additional security at all. Not that the Problem was that the better security wasnt being forced to be used. If it was the latter (what you describe with being able to accept both older and newer OSes Connections with and without the encryption), then I dont think they would have gotten bad marks.

        Your solution would be the best result for everyone. But I'm pretty certain that wasnt what was being described.

        1. Alister Silver badge

          @Iglethal.

          No, that's not the case, the article is rather disingenuous about the report.

          If you run a report yourself on HSBC for instance:

          https://www.ssllabs.com/ssltest/analyze.html?d=www.security.hsbc.co.uk&hideResults=on

          You can see that they do support the latest SSL ciphers (ECDHE_RSA) but that they also support various ciphers which are now considered to be weak.

          What Scott Helme is claiming - that they don't implement HSTS headers - is NOT a major issue despite his claims, all that the HSTS header does is to tell the browser to always use HTTPS to connect to the site, but it doesn't specify the ciphers to be used on the connection, and most if not all the bank sites will only accept connections over HTTPS anyway.

          1. Quotes

            Cipher Selection

            @Alister mentioned the SSL report from Qualys SSL Labs for HSBC. It does cause concern to see a "B" rating, and inclusion of the TLS_RSA_WITH_RC4_128_SHA (0x5) cipher which is insecure.

            I would be mortified to get a B rating. I have always looked at the Twitter and Google reports to see what their cipher selections are like and configured my servers to a similar spec. There are a couple of "weak" ciphers to fall back on but this is still acceptable and they are at the bottom of the list.

            But HSBC using an Insecure Cipher - surely that is unforgivable?

            And why aren’t they using Perfect Forward Secrecy?

      3. Dan 55 Silver badge

        If you use the latest and greatest browser, then your connection will use the highest available encryption, so is not at risk.

        Unless someone MITMs it down to something weaker.

        Perhaps IE6 users on XP should have a server just for themselves which they have to specifically ask for access and agree to some scary clauses saying it's all their fault if there's fraud.

      4. nijam

        > If the bank / business also allows connections using weaker encryption for people with older browsers, that doesn't compromise your connection.

        Nothing to do with it. The problem is that banks force your connection to use weaker encryption than your device is capable of.

        1. Alister Silver badge

          The problem is that banks force your connection to use weaker encryption than your device is capable of.

          No, they don't.

    2. Anonymous Coward
      Anonymous Coward

      They are stealing the banks money, unless the bank can prove negligence on your part. The same as “ID theft”, it is the bank defrauded, not the person.

      1. Dan 55 Silver badge

        Banks may try to prove negligence by saying something like "the thief used your PIN therefore you told him or wrote it down in your wallet or it was obvious (your birthday)" and "you didn't use VbV or MSC when buying online". Why should using an ancient browser be any different?

        1. Anonymous Coward
          Anonymous Coward

          Because they allow that browser to work. They accept that browser is a reasonable method to access your account.

    3. Doctor Syntax Silver badge

      "you can always phone, visit a branch or use an ATM."

      That visiting thing - it seems to be getting trickier these days.

    4. Dr. Mouse Silver badge

      "Customers not being able to access online banking because the bank stubbornly insists on strong crypto is a far bigger concern than the crypto being broken,"

      I also disagree with this.

      Some customers would refuse to set a secure password, if given the choice. Convenience trumps security in many cases for many people, no matter how often or vehemently you warn them.

      If people are using outdated browsers, redirect them to a page explaining why you must insist that they upgrade, and explain how. This probably doesn't apply to an e-commerce site, but banking is supposed to be secure. If they lead the way, modern standards will be adopted and we will all reap the benefits.

      1. Alister Silver badge

        If people are using outdated browsers, redirect them to a page explaining why you must insist that they upgrade, and explain how

        It's not technically possible to do that without providing ciphers that the out of date browsers support, unfortunately. The TLS session must be established before you can carry out any redirection.

        Yes you could do this for a while, before turning the ciphers off, and this is often what is done in practice.

        1. Dan 55 Silver badge

          The main website could use cyphers which cover everything and do any redirection with user agent detection but the online banking website could forego older cyphers.

          (I didn't downvote.)

          1. Alister Silver badge

            @Dan55

            Thank you for the non-downvote. :)

            As far as I know, what you propose would have to mean hosting the main site on one server, and the banking site on a different server, as you cannot assign different cipher suites on a per site basis, only at server level.

            Now this is not a bad idea at all, but it does mean that again, anyone connecting to the banking site would be required to have a browser and operating system that supported the latest ciphers, or the connection would fail. So really no different in outcome to what we have already.

  2. Alister Silver badge

    The TLS 1.1 requirement is currently June 2018, however that has been delayed many times.

    As it should be, because:

    "Customers not being able to access online banking because the bank stubbornly insists on strong crypto is a far bigger concern than the crypto being broken," Grooten said. "And rightly so."

    I'm not involved with banking, but do manage various eticketing and retail solutions. If we were to turn off TLS1.1, we would lose up to 40% of our customer base.

    That's potentially 40% less revenue.

    No sensible business can afford to do that.

    1. Amos1

      "Up to 40%"? How much really? Please use real numbers not media corporate-speak nonsense. "We lost a limited number of customer records" which can translate to all but one.

      We've been monitoring TLS at the bank I work for since 2014. Non-TLS 1.2 (not TLS 1.1; nobody uses that) has been at 1.5% (notice the dot?) for over a year.

      TLS 1.1 has been below one percent since we started monitoring and is now below one one-hundredth of a percent.

      1. Alister Silver badge

        @Amos

        Possibly this is the difference between e-banking and e-commerce?

        A short summary breakdown of our connections shows:

        Windows 7 with IE 8, 9 or 10 requires TLS1.0 by default, the client can turn on TLS1.2 but rarely does

        Windows Vista with IE 7 or 8 requires TLS1.0

        Windows XP with IE7 or 8 requires TLS1.0 - IE6 protocol mismatch, can't connect.

        Windows Mobile 8.0 requires TLS1.0

        Android versions older than 4.4 require TLS1.0

        OSX 10.8 requires TLS1.0

        Safari 6 or older requires TLS1.0

        Anything using OPenSSL 0.9 or earlier require TLS1.0

        Anything written in Java 7u25 or earlier require TLS1.0

        In addition to direct browser connections, we also provide an API to various external web sites, and by far the majority of those sites use software written in older versions of Java which require TLS1.0 to access our services. (Including, I might add, ATOS Worldline, who have so far refused to update their stack).

        The running total as of today is 38.7% of all connections to us use TLS1.0

        1. Baldrickk Silver badge

          So things that are really out of date, or are old but the user can either turn on the support for later (better) protocols, or use alternative software (e.g. any browser other than IE)?

          OpenSSL 0.9.1 was released in '98, the latest version of OpenSSL 0.9.X was released in 2005, and anything older then 1.0.2 is explicitly EOL.

          The Java7 update you specify was June 18, 2013 Java7 itself (update 76) expired April 14, 2015.

          Android kitkat was also 2013, and while technically supported with security patches to the source, it's unlikely that users are actually getting them. but that's not the problem, you stated older versions which are unsupported.

          Not that you have control over what third parties use to connect to your systems of course, but there does come a time when it's probably not worth supporting outdated systems any more - or at least a point when you should be taking steps to discourage their use.

    2. phuzz Silver badge

      When one of our clients turned off TLS 1.1 last year it was because they had less than 1% of customers still using it (there was about 6 users, and they didn't buy much).

      Given that most of their customer base are, how shall I put this, less likely than most people to have upgraded beyond XP and IE6 (ie most of them are pensioners), I'm surprised that you're getting 40% of users still using it.

      Do you run a website specifically for fans of old browsers? ;)

  3. Ben Tasker Silver badge

    Security researcher Scott Helme and encryption expert Professor Alan Woodward were both adamant that this was a serious failing, not least because updating to support the technology would be straightforward,

    I've often found that you'll see people saying "it should be done, and is straightforward to do" only to later find they have no understanding of either the systems they're referring to, nor the operational requirements of the organisation operating those systems.

    It's straightforward to update a low-traffic VPS to do almost anything, it's almost never straightforward to "just" update anything at scale, particularly where there are strong security considerations to be made infra-structure wise.

    As others have noted, any plans to do so are probably stuck deep in beauracracy at the moment.

    Lack of HSTS isn't all that big a deal in the scheme of things. Especially when as late as last year, certain banks were still using plain old HTTP to load assets for their banking apps: https://www.bentasker.co.uk/blog/security/315-the-state-of-mobile-banking

    Funnily enough, that bank was the only I'd tested that had bothered to configure HSTS on their "main" domain, and then they went and did something like that. They're also the only one who scored an A in the Reg's tests... go figure

    I think calling the lack of HSTS a "serious" failing is one hell of a stretch. It's a failing, but there are far bigger issues than need to be addressed first. Just my 2 cents

    1. Adam 1 Silver badge

      I'm actually with Scott on this. I thought (and still do think) he is wrong on uBlock/reporturi but HSTS is amongst the simplest steps you could implement because legacy browsers will just ignore it. Imagine you're a technical news website with a cloudflare cache frontend; your "changes" are to tick the box on the cloudflare control panel.

      Banking websites are often necessary to check while travelling. If you connect to a free cafe/hotel WiFi and visit the http landing page they could easily deliver a fake version and use social engineering tricks to get you to submit over clear text. They might even be generous enough to include a padlock png with some fake browser chrome to make it look half legitimate. If the site used HSTS then they can't redirect it in the first place.

  4. Aladdin Sane Silver badge

    Hey banks, I'll do you a deal. I'll do what I can to prevent data leaking at my end and you do the same, m'kay?

    1. Amos1

      Sure, as long as you agree to not complain or demand your money back when it was caused by you using your debit card at a standalone kiosk in a mom-and-pop store. Or because you allowed Microsoft Tech Support to remote in to fix a virus. Or because you just KNOW you won that car in a lottery you did not enter and just need to pay the taxes. Or because your grandson was arrestedy and doesn't want his parents to know so he asks you for bail money.

      1. Aladdin Sane Silver badge

        Works for me.

    2. Anonymous Coward
      Anonymous Coward

      And incidentally, dear banks, 'doing what I can to prevent data leaking at my end' does not mean 'installing Rapport'.

      1. Aladdin Sane Silver badge

        Ah, Rapport. How to wreck system performance in 1 easy step.

  5. Flywheel Silver badge

    I found it disconcerting, and pleasing at the same time that my own website hosted on a Raspberry Pi gained a higher security rating than several of the banks. Maybe I need to think carefully where I should put my overdraft...

  6. Anonymous Coward
    Anonymous Coward

    IT security enforcement

    It's about time there was an IT security equivalent to environmental health that had the authority to shut down financial institutions external facing IT systems that were putting their customer's financial health at risk until the detected defects are properly rectified. For that matter they should also be able to apply the same logic to public sector organisations that store large quantities of citizen data. They'd take it seriously then!!!!

    1. Alister Silver badge

      Re: IT security enforcement

      It's about time there was an IT security equivalent to environmental health...

      There is, it's called PCI-DSS

      1. Dan 55 Silver badge

        Re: IT security enforcement

        Well Lloyds still seems to be going.

        What it comes down to is they're all too big to fail. They will get there in the end, but years late, by which time there'll be newer standards which they've not caught up with.

      2. Anonymous Coward
        Anonymous Coward

        Re: IT security enforcement

        Doesn't apply TO the banks, it's applied BY the banks onto merchants as a way to shift blame and costs away from them.

        But in fairness there is some good stuff in there it's just applied very badly.

  7. Gary Gapinski

    TLS compatibilities

    SSL Labs has a nice comparison of user agent (TLS client) capabilities at https://www.ssllabs.com/ssltest/clients.html.

    Note that all recently revised user agents can handle TLS 1.2 (obviating the need for older TLS protocols when observation of a web site's clientele demonstrates the UAs are indeed all compatible).

    If one looks at individual UAs in that same comparison, it shows that recent ones can negotiate the stronger (i.e., AEAD+EDH) cipher suites. Those which cannot are likely quite old and equally likely lack the ability to negotiate TLS 1.2, and can be accommodated (if actually present in the clientele) by a configuration that offers the older, weaker, TLS protocols and cipher suites. The newer UAs will negotiate the stronger combinations.¹

    As for HSTS, its use should be promoted, as it forces the web site operator to ensure that information is always delivered over TLS, and modern browser support is broad (https://caniuse.com/#search=hsts).

    ¹ See, e.g., https://www.ssllabs.com/ssltest/viewClient.html?name=Apple%20ATS&version=9&platform=iOS%209&key=112 for a particularly aggressive stance.

  8. Aodhhan Bronze badge

    The lesson here is...

    Don't just take every report, article or presentation as the 'end all be all' for security. There are a lot of INFOSEC professionals who forget the basics and develop bad habits and bad logic.

    INFOSEC isn't about stopping each hacker and closing down every vulnerability. THIS IS IMPOSSIBLE. Something taught in EVERY security certification.

    INFOSEC comes down to identifying and managing risk. Just because someone says you must shut down something doesn't necessarily mean you should or even can. One minor security change in an information system can affect a lot of people, not to mention a businesses bottom line.

    Kudos to Alister who has said all the right things for this article.

  9. patrickstar

    As far as I know, not a single cent has ever been stolen because of sub-optimal TLS settings...

    The real push should be to enable 2FA - I've actually seen claims that not all UK banks have it...? Totally absurd if that's actually the case.

    1. Baldrickk Silver badge

      I'd just prefer to have all my banks take reasonably long passwords, and to not require just a couple of characters in seperate input boxes, so that I can actually use my password manager properly.

      1. Anonymous Coward
        Anonymous Coward

        How do they store your password if they're able to verify single characters? Can't be a hash of the entire password.

    2. Brewster's Angle Grinder Silver badge

      My bank will let me log in and transfer money to an existing payee without 2FA. But I can't set up a new transfer without it.

    3. Anonymous Coward
      Anonymous Coward

      2 Factor Authentication

      A good point about 2 Factor Authentication (or lack thereof). There is surely sufficient ownership of mobile phones now that all banks should be able to require an additional one-time passcode sent by phone, in addition to a password, to let you login. Instead, still too many banks require you to define two different passwords/passcodes to use to login, and I'm sure many people have difficulty trying to remember too many different secure passwords for each of their banks!

      1. Anonymous Coward
        Anonymous Coward

        Re: 2 Factor Authentication

        Phones are better than nothing as a second factor but they're not considered to be properly secure now. It's become so easy to social engineer phone providers into swapping number to the crooks.

        So SMS is a dead end for 2FA now.

        Something like Google/MS authenticator would be better.

        1. patrickstar

          Re: 2 Factor Authentication

          In addition to the issues with the phone company, the networks themselves (SS7 and other vectors), there's also the fact that nowadays the phone might very well be the same device they are banking from. Or it might be hooked up to the computer used for banking regularly and thus be susceptible to being compromised that way. So even non-SMS based schemes are off. Plus you can't expect ALL your customers to have smart phones. No, really!

          It's better than nothing, but still... While I am not much into the whole 'false sense of security' thing in this case - it's clearly better than just a password - if you're gonna roll out 2FA you better do it properly from the start. Getting people tokens and instructing them in using them isn't THAT much more work than getting everyone's cellphone numbers and instructing them in how that works.

          You really want an actual separate hardware token. That also means there's a lot less opportunities for things like shoulder-surfing PIN codes, since you enter it a lot less often and probably not in a lot of public places.

        2. Wensleydale Cheese Silver badge

          Re: 2 Factor Authentication

          "Phones are better than nothing as a second factor but they're not considered to be properly secure now. It's become so easy to social engineer phone providers into swapping number to the crooks."

          A more important factor for many is crap telephone reception at home.

          There's nothing more infuriating than being sent an SMS that you cannot access without going outside, or even have to drive somewhere else to receive.

          By which time, of course, the authentication period might have expired.

          1. Ben Tasker Silver badge

            Re: 2 Factor Authentication

            There's nothing more infuriating than being sent an SMS that you cannot access without going outside, or even have to drive somewhere else to receive.

            Yes, ^ That.

            I'm looking in particular at HMRC - do you want me to do my Tax Return or not? If I need to go out just to receive the text, I'd much rather go out to the pub for a quiet afternoon than walk back in and fill out paperwork.

  10. Roger Greenwood

    Attitude of banks

    True story:-

    Lady asked to go into bank to draw out some money for her father.

    No problem says the cashier - let me update your passbook while you're here.

    Passbook updated. Hang on - unknown transaction - withdrawal from an ATM.

    Cue big argument - cashier insists the system cannot be wrong. Lady insists her father cannot have withdrawn the money as the ATM was 100 miles away and he is too ill to travel. Cashier insists the system cannot be wrong. Argument escalates to senior supervisor who insists system cannot be wrong, no one can keep track of another person 100%, ill or not.

    Lady says she can prove it was not withdrawn by her father - he hasn't got an ATM card.

    Money duly restored to account.

    Moral of the story - the system cannot be wrong. Except it can and you have to prove it.

    1. theOtherJT

      Re: Attitude of banks

      The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.

      -Douglas Adams

    2. SImon Hobson Silver badge

      Re: Attitude of banks

      Moral of the story - the system cannot be wrong. Except it can and you have to prove it.

      A good example is Chip and PIN which the banks will happily tell you is 100% secure, except that it's been proven to be "rather less than 100%" secure !

      https://www.lightbluetouchpaper.org/?s=chip%2Band%2Bpin

      NB - it's well worth subscribing to their RSS feed, They do some very interesting stuff !

  11. lifetime security

    The bank is looking at us as an aggregate and doesn't want to be bothered with problems I have. I am a security aware professional and I want MY connection safe. The bank is least bothered about me and will go on using the older system.

  12. Scott Broukell

    Shoulder surfing

    This is something that bothers me, more so since, for some time, my local branch sprouted loads of 'user' screens, where customers are encouraged to login so as to perform regular banking tasks. These screens are so positioned as to make the contents visible to all and sundry across the entire vestibule! I am seriously considering taking along my own pair of clip-on bicycle mirrors next time, in order to keep a wathcful eye on any nosey blighter showing too much of an interest in my on-screen activity.

  13. Doctor Syntax Silver badge

    "Lack of HSTS is laziness, but not really a threat today," he said.

    And he doesn't think such laziness is itself a threat?

  14. Anonymous Coward
    Anonymous Coward

    Understand the risks

    Wow, this gets muddy.

    HSTS ensures HTTPS is used and is a big deal. SSL vs TLS1.0/1.1 vs TLS1.2 is another matter.

    PCI DSS applies to organizations handling credit/debit card data (basically data belonging to others). That's why the focus is mostly on merchants and processing banks, the issuing banks which hold a lot more of the risk get less focus but don't get off the hook either.

    As to the POS machines being exempt fro TLS1.2, NOT TRUE. They can continue to be used but must be shown to be safe. In many cases they are because of the way the use the crypto. The attacks like POODLE that precipitated this requirement have very specific use cases and won't apply to most of these devices. The details of this are well documented.

    Similarly, 3DES is near the end of its useful life. It still has a role in POS and ATM devices, in part because those use cases are safer than a general purpose use case.

    And if a bank wants to let their customers use SSL3.0 to access their non-PCI accounts, that is their risk decision to make.,

  15. 0laf Silver badge
    Holmes

    Interception is exceptional

    There does appear to be a bit of an inappropriate focus on CSI style attacks which in reality would be pretty hard to carry off and you'd be unlucky to be hit.

    Crooks aren't totally daft they want nice easy returns intercepting and decrypting banking traffic is pretty hard in comparison to dropping a banking trojan or sending a phish. I really can't see too much threat to Joe Public from the interception of their data in transport. Basically there isn't enough money in it for the crooks to bother with, most people's bank accounts are pretty empty.

    If you're going to grab small amounts you want to do it easily and on a large scale.

    Now if you're a well known rich person with a few million quid in liquid assets in an account then you are maybe more likely to be someone that a crook will spend a bit more time and effort over. You Mr Rich person should really be looking for a band that will do 2FA for you.

    But even then you're more likely to be done over by a phish, a trojan or an old fashioned grifter.

  16. Alister Silver badge

    Get some perspective.

    A lot of the commentards here seem to be misunderstanding the issues raised in the article, abetted, it has to be said by some editorial misdirection.

    Firstly, to describe the HSTS header as "Cryptographic Technology" is a gross exaggeration.

    It is an HTTP Header, which when read by a client browser, ensures that the browser only uses HTTPS to connect to the domain it is served from. That's all it is, nothing else, and certainly not cryptographic technology.

    Secondly, the article is written in such a way as to suggest that banks have downgraded their cryptographic cyphers to the lowest common denominator, and therefore endanger everybody's security.

    I've just reviewed the SSL Labs results for each of the banks tested, and I can unequivocally state that this is not true.

    In all the tested cases, the banks offer the latest ECDHE_RSA_AES ciphers, and therefore modern browsers will connect using TLS1.2 using those ciphers.

    However, all of the banks tested, even Santander, the highest scoring, also offer, to a greater or lesser extent, older weaker ciphers to allow older browsers and operating systems to connect. Some of them, RBS and Natwest for example, offer really old, weak ciphers, and they should consider removing those.

    It is pointed out that none of the tested banks offer PFS (Forward Secrecy). This is probably something which should be done, but relies on the correct ordering of the cipher suites offered, amongst other things, and is easy to get wrong.

    So to sum up, none of the banks tested are endangering your security by only allowing weak cryptographic ciphers and HSTS is not some magic security feature.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019