Bank Grade Security - South African bank edition
After reading an interesting post by Troy Hunt about so called "bank grade" security on Aussie internet banking sites I was curious to see what the results would be for South African banks and more specifically how my bank stacks up against the competition. The results are similar with some very surprising names scoring quite low using Qualys SSL Server Test.
Bank | Grade | SSL3 | SHA1 | TLS 1.2 | RC4 | FS* | POODLE |
---|---|---|---|---|---|---|---|
African Bank | A- | PASS | FAIL | PASS | PASS | FAIL | PASS |
Sasfin | A- | PASS | FAIL | PASS | PASS | FAIL | PASS |
Bidvest | B | PASS | PASS | PASS | FAIL | FAIL | PASS |
First National Bank | B | PASS | PASS | PASS | FAIL | FAIL | PASS |
Nedbank | B | PASS | PASS | PASS | FAIL | FAIL | PASS |
Investec | B | FAIL | FAIL | PASS | FAIL | FAIL | PASS |
Grindrod | B | FAIL | PASS | FAIL | FAIL | FAIL | PASS |
Capitec | B | PASS | FAIL | FAIL | FAIL | PASS- | PASS |
Standard Bank | C | FAIL | FAIL | FAIL | FAIL | FAIL | FAIL |
ABSA | F | FAIL | FAIL | FAIL | FAIL | FAIL | FAIL |
Imperial Bank | F | FAIL | PASS- | PASS | FAIL | PASS- | FAIL |
* Forward Secrecy
The most surprising to me was Standard Bank and ABSA, the top two largest banks in the country, are failing dismally on their SSL implementation. Imperial Bank is frightening and vulnerable to both POODLE and FREAK attacks. The smallest banks seem to score the highest and a number of South African banks don't even have internet banking such as uBank and Postbank.
Although the grades look decent overall, the amount of red is quite concerning.