Technology magazine Wired reported last week that a number of top financial services companies haven’t yet updated their websites to use the encryption standards as required by the banking industry.
Their report is based on new analysis conducted by Swansea University computer science student Edward Wall, who evaluated 153 banks across North America, Europe and parts of Africa and Australasia, giving them each a score out of 100 for the technical measures of their websites. These technical measures included how they implemented HTTPS, the configuration of their security headers, and the use of transport layer security (TLS), security polices, DNS and cookies.
The scores themselves don’t mean user data has been exposed, or that a site has or had software vulnerabilities, but rather show whether best web practices are being followed. That said, with issues around HTTPS, TLS, etc. potentially opening up the possibility of man-in-the-middle (MiTM) attacks (as evidenced by previous attacks that leveraged Heartbleed, Poodle and Beast), this is a big concern – especially given the growing trends of online and mobile banking.
After all, according to the Morning Consult for the American Bankers Association, four in 10 Americans manage their bank accounts online, while 26 percent of consumers use their mobile devices most often for this. Separately, Juniper Research predicts that over 2 billion mobile users will have used their devices for banking purposes by the end of 2021.
How Do the US Banks Measure Up?
Dutch financial services firm ASN Bank topped the global list with a score of 64 out of 100, with Wells Fargo the highest ranked US bank at 61 (putting it in a tie for sixth overall). At the other end of the scale, Bank Massad in Israel was at the bottom with just 8 points, with Bank of America the poorest performing North American bank, collecting just 26 points. Some of the faults at BoA included employing older, less-secure versions of TLS, no HSTS preload, and a lack of X-XSS protection (a browser feature designed to stop pages from loading when cross-site scripting attacks are detected).
Chase (58), Ally (50), American Express (50) and Washington Federal (44) rounded out the top five US banks. HSBC (32), US Bank (32) and Bank of America were the bottom three.
TLS Issues Arise
In his analysis, Walls found myriad problems with bank web security, including a lack of proper redirection from HTTP to HTTPS and headers that didn’t protect users from XSS attacks (like browser extensions injecting malicious code to intercept banking details, for example).
The HTTP issue is a big one for most industries dealing with payments and that’s because HTTP sends data back and forth between the browser and server in plain text – meaning intercepting it would give information straight to the attacker. HTTPS (HTTP Secure), by comparison, uses the TLS (or the older SSL protocol) to ensure that data is encrypted and protected.
However, while all banks have used HTTPS for a number of years, the way they implement it varies. Some banks haven’t upgraded their security to enforce TLS cryptographic handshake protocols, while even those moving to version 1.2 have found it can lock out those users on older computers that don’t support the latest web browsers.
The TLS version on which banks rely is also important because of changing standards: The Payment Card Industry Data Security Standard (PCI DSS) – which is issued and managed by the PCI Security Standards Council — has previously said that firms accepting card payments must be using TLS 1.1 or higher from June 30, 2018 onwards.
If these issues weren’t complex enough for banks, another issue is around the role of the certificate authority (CA) managing the issuance of such certificates. Google Chrome and Mozilla Firefox recently deemed Symantec certificates to be unsafe and untrusted because they were using outdated TLS certs. Following that, Etsy director of security Rich Smith tweeted last week that the HSBC US website certificate was insecure because it was using the certs from Symantec.
The worry here is three-fold: technical complexity, banks’ failure to evolve, and the fact that many online bankers are still reliant on older PCs and mobile devices that don’t support newer TLS versions. This could be putting millions of people at risk, especially the less tech-savvy such as the elderly.
What Should Banks Do?
Undoubtedly, the message here is that banks are falling short in adopting the latest encryption standards – and they need to get up to date to fulfill their duties of protection for their customers. However, there is an ironic issues – modernizing security will inevitably leave some customers on legacy systems behind.
Trusted Knight’s Protector Air may provide the answer. Protector Air provides banks with full transaction stack protection, focuses on individual transactions, irrespective of the integrity of either the endpoint device or the end user. This means that even if the customer device doesn’t support TLS 1.1, their payment details will still be protected. Through its cloud-based solution it can protect against customer-side malware, prevent web application exploitation, block DDoS attacks, and stop transactional fraud. To learn more, click one of the buttons below.