SSL implementation is poor across South African financial institutions
With the recent security issues across many South African mobile iOS applications, I thought it would be an important exercise to establish how well South African financial institutions have implemented transport layer security across their online financial services. Anyone can run the test via Qualys free SSL Server Test:
While transport layer security and the SSL implementation is only a small part of the complete security eco-system of an organisation, it is very concerning to see big financial institutions still be open to the POODLE attack, which is a serious vulnerability and was published in October 2014:
Only African Bank and Sasfin did exceptionally well with an A- grade. None of the sites tested support Forward Secrecy, which is designed to prevent the compromise of a long-term secret key from affecting the confidentiality of past conversations (several large internet companies such as Google, Twitter, Wikimedia and Facebook use PFS as a security feature).
| Financial institution | Grade |
Still supports SSL 3
|
Still supports SHA1
|
No TLS 1.2 support
|
Still supports RC4
|
Forward secrecy support
|
POODLE vulnerability
|
|---|---|---|---|---|---|---|---|
| African Bank | A- | Pass | Pass | Pass | Pass | Fail | Pass |
| Sasfin | A- | Pass | Pass | Pass | Pass | Fail | Pass |
| Bankserv | B | Pass | Fail | Fail | Pass | Fail | Pass |
| Bidvest Internet Banking | B | Pass | Pass | Pass | Fail | Fail | Pass |
| Capitec Internet Banking | B | Pass | Pass | Fail | Fail | Fail | Pass |
| FNB Internet Banking | B | Pass | Pass | Pass | Fail | Fail | Pass |
| Grindrod Bank | B | Fail | Pass | Fail | Fail | Fail | Pass |
| Investec Internet Banking | B | Fail | Fail | Pass | Fail | Fail | Pass |
| Nedbank Internet Banking | B | Pass | Pass | Pass | Fail | Fail | Pass |
| Standard Bank Internet Banking | B | Pass | Fail | Fail | Fail | Fail | Pass |
| ABSA Internet Banking | F | Fail | Fail | Fail | Fail | Fail | Fail |
| ABSA Online Share Trading | F | Fail | Fail | Fail | Fail | Fail | Fail |
| Bidvest Business Internet Banking | F | Fail | Fail | Fail | Fail | Fail | Pass |
| Mercantile | F | Fail | Fail | Fail | Fail | Fail | Fail |
The eight B grades fail for various reasons – many still support RC4, the weak and insecure SSL 3 and lack support for TLS 1.2 (which has been supported by all current browsers since late 2013).
Both ABSA and Mercantile are exposed to the POODLE vulnerability and I did not expect to see this on many websites, especially the ones managing your finances.
Although the above results are concerning, they are certainly not uncommon when looking at the latest SSL Pulse report:
Notes:
- I have used the SSL domain name of the financial institutions SSL login page and used Qualys to run a scan against the domain and SSL certificate – all information scanned is publicly available
- I have forwarded a link of the above results via the financial institution’s contact forms so that their IT teams can address the issues.
- In most cases RC4 and Perfect Forward Secrecy can only be resolved by upgrading server infrastructure (latest version of Linux and HTTP) and this is more involved then fixing a TLS, POODLE or BEAST vulnerability.
- Thanks to Troy Hunt for the HTML table and original idea
Recent Comments