Online banking log-in pages for the UK finance industry are deeply vulnerable to low-skilled attacks, research has revealed; including having lingering issues with old vulnerabilities, like POODLE.
Xiphos Research found that more than half of the high street banks and building societies that it tested within the United Kingdom were found to have insecure implementations of SSL certificates, which are key components to security authentication mechanisms. Of the 22 UK-owned retail banks examined, 50% were found to have insecure SSL instances. Of the 25 foreign-owned retail banks operating in the UK that were examined, 79% were insecure, and out of 37 UK building societies, 51% were.
“It was our expectation that the majority would be secure (after all finance is a risk averse sector from a security perspective),” said Mike Kemp, co-founder of Xiphos, in an analysis. “Sadly this was not the case.”
Xiphos examined the SSL certificate instances associated with the secure login functions for a variety of UK-based financial institutions, by anonymously submitting associated URLs to the SSLLabs service from Qualys. Of the 84 SSL instances included as part of the research, 12 of them (or 14%) were rated by SSLLabs as having the worst possible score they could have had.
The issues were myriad, and somewhat surprising. For instance, eight of the banking log-in pages were found to be impacted by the POODLE vulnerability found by the Google security team in October 2014. POODLE allows a man in the middle attack whereby the encryption of SSL is downgraded, allowing for potential manipulation and interception of secure encrypted data in transit.
As Kemp noted, given its age and the deep press coverage of the issue, POODLE is “one that in all likelihood would not be expected to be seen on sensitive client-facing systems in the wild.”
Further, a full nine SSL instances (10.7%) were operating using version 3 of the SSL protocol, which was officially deprecated as of December 2014 owing to the POODLE attack. It was recommended that when POODLE emerged that SSL version 3 be disabled on all public-facing sensitive hosts and replaced with the most recent iteration of the more secure TLS protocol. In more than 10% of the certificate instances assessed as part of this research, this has not been the case.
Xiphos also found that four (or 4.7%) log-in pages were vulnerable to the CRIME attack, which was first disclosed in 2012. The CRIME vulnerability allows attackers to recover secure session authentication cookies to hijack legitimate user sessions—thus allowing them to take full control of data sets that are transmitted and received.
There were also other crypto problems: A full 36% of all certificates were found to be using SHA1 hashing functions for cryptography—a notoriously insecure practice.
“The first cracks in SHA1 appeared over 10 years ago, and in 2013 Microsoft announced that it would not be accepting SHA1 certificates after 2016,” said Kemp. “Google stated as of September 2014 that it would be penalizing sites that utilized SHA1 certificates that expire during or after 2016. Because of these changes, it is thus necessary to ensure that certificates utilize SHA256 and thus avoid browser errors.”
In 30.9% of certificate instances, Xiphos found that older versions of TLS were being used. TLS 1.2, released in 2008, has been recommended as the only secure option, yet a third of the banks do not yet support it.
Also, 41.6% of the SSL certificate instances assessed were found to support the Rivest Cipher 4 (more commonly known as RC4). Attacks against the RC4 cipher have theoretically been possible for a number of years, and when combined with older protocols (such as TLS 1) it may be possible to degrade or negatively impact upon the security of data in transit. In fact, both the BEAST and Lucky 13 attacks can impact sites that operate using TLS 1 in combination with RC4.
Kemp said that he reached out to both the banks and the UK National Crime Agency about the issue. As for the former, “the impacted parties don’t seem to care,” he noted.
“We have attempted to reach out to the FCA and as of the date of this article have yet to be contacted by anyone other than first line customer services staff,” he said. “We have attempted to contact a number of the affected banks and building societies and not been able to surmount customer services.”
Photo © Bill Anastasiou