4 Comments

After reading an interesting post by Troy Hunt about so called "bank grade" security on Aussie internet banking sites I was curious to see what the results would be for South African banks and more specifically how my bank stacks up against the competition. The results are similar with some very surprising names scoring quite low using Qualys SSL Server Test.

BankGradeSSL3SHA1TLS 1.2RC4FS*POODLE
African BankA-PASSFAILPASSPASSFAILPASS
SasfinA-PASSFAILPASSPASSFAILPASS
BidvestBPASSPASSPASSFAILFAILPASS
First National BankBPASSPASSPASSFAILFAILPASS
NedbankBPASSPASSPASSFAILFAILPASS
InvestecBFAILFAILPASSFAILFAILPASS
GrindrodBFAILPASSFAILFAILFAILPASS
CapitecBPASSFAILFAILFAILPASS-PASS
Standard BankCFAILFAILFAILFAILFAILFAIL
ABSAFFAILFAILFAILFAILFAILFAIL
Imperial BankFFAILPASS-PASSFAILPASS-FAIL

* Forward Secrecy

The most surprising to me was Standard Bank and ABSA, the top two largest banks in the country, are failing dismally on their SSL implementation. Imperial Bank is frightening and vulnerable to both POODLE and FREAK attacks. The smallest banks seem to score the highest and a number of South African banks don't even have internet banking such as uBank and Postbank.

Although the grades look decent overall, the amount of red is quite concerning.