12 December 2017
visit http://response.ncr.com

UK banks accused of weak login page security

07 January 2016  |  10731 views  |  3 Login detail

More than half of banks and building societies in the UK are leaving their online customer login pages vulnerable because of insecure SSL instances, according to security experts at Xiphos Research.

Xiphos examined the SSL certificate instances associated with the secure login function at a host of British retail banks and building societies, as well as foreign-owned outfits operating in the UK, by anonymously submitting URLs to the SSLLabs service from Qualys.

Of 22 UK-owned banks, half were found to have insecure SSL instances, while 51% of 37 building societies also had issues, and more than three quarters of foreign-owned outfits were found to have problems. Of the 84 SSL instances, 12 of them (or 14%) were rated by SSLLabs as bottom of the class F.

In a blog, Xiphos co-founder Mike Kemp says that the firm is not naming and shaming the offenders because since carrying out the research in November it has struggled to contact and warn them.

With security contact details difficult to procure, the firm approached the Financial Conduct Authority for help, only to be rebuffed because of “security reasons”. The UK National Crime Agency has also been informed.

Says Kemp: "As things stand, over 50% of banks and building societies in the UK have weak SSL implementations associated with their secure login functions. And the impacted parties don’t seem to care."

Comments: (3)

Hitesh Thakkar
Hitesh Thakkar - FIS Payments Software and Services India - India | 07 January, 2016, 11:13

This is no surprise as most of security analysts and researchers have been advocating End to End encryption implemenation which is more than depending on Browser features.

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 07 January, 2016, 13:28

This is peculiarly pointless "research" - grandstanding on a particular technical point, while ignoring (or perhaps ignorant) of other technical controls deployed by the banks to prevent fraud and detect malware.

The author was roundly denounced on Twitter by people who actually know what they are doing. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Joe Martens
Joe Martens - various - Texas | 08 January, 2016, 11:55

@"A Finextra member"... that's a ridiculous comment - it's like saying "let our army fight without armor, becuase we've got good medical facilities".

Xiphos did not go far enough... I ran my own survey recently and only 1% of banks in the world are using HSTS, which makes the reamining 99% vulnerable to MitM over Wifi... and yes... there's 50-million+ public hotspots in the world... that's 50-million different places where anyone with a bank account can get scammed, because the banks don't enforse SSL... and that not even starting on the fact that the SSL they *do* enforce is radically useless anyhow!

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

NatWest blames online outage on DDoS attack

NatWest blames online outage on DDoS attack

31 July 2015  |  11553 views  |  0 comments | 16 tweets | 5 linkedin
UK online banking fraud losses soar 48%

UK online banking fraud losses soar 48%

27 March 2015  |  14590 views  |  0 comments | 17 tweets | 26 linkedin

Related blogs

Create a blog about this story (membership required)
visit www.solutions.lexisnexis.comvisit www.aciworldwide.comvisit http://info.nice.com

Top topics

Most viewed Most shared
Revolut lets customers buy Bitcoin, Litecoin and EthereumRevolut lets customers buy Bitcoin, Liteco...
18955 views comments | 26 tweets | 22 linkedin
Saxo Bank's 'Outrageous Prediction': Bitcoin to peak at $60k next year before spectacular crashSaxo Bank's 'Outrageous Prediction': Bitco...
11739 views comments | 7 tweets | 7 linkedin
Deutsche Bank paper hails 'huge' blockchain potentialDeutsche Bank paper hails 'huge' blockchai...
8525 views comments | 15 tweets | 21 linkedin
Santander UK poaches Barclays innovation chief Michael HarteSantander UK poaches Barclays innovation c...
7021 views comments | 8 tweets | 17 linkedin
Alior Bank to use Open API platform and accelerator to create fintech marketplaceAlior Bank to use Open API platform and ac...
6541 views comments | 19 tweets | 11 linkedin

Featured job

Competitive base, double ote, benefits
London, UK

Find your next job