4 Comments

After reading an interesting post by Troy Hunt about so called "bank grade" security on Aussie internet banking sites I was curious to see what the results would be for South African banks and more specifically how my bank stacks up against the competition. The results are similar with some very surprising names scoring quite low using Qualys SSL Server Test.

BankGradeSSL3SHA1TLS 1.2RC4FS*POODLE
African BankA-PASSFAILPASSPASSFAILPASS
SasfinA-PASSFAILPASSPASSFAILPASS
BidvestBPASSPASSPASSFAILFAILPASS
First National BankBPASSPASSPASSFAILFAILPASS
NedbankBPASSPASSPASSFAILFAILPASS
InvestecBFAILFAILPASSFAILFAILPASS
GrindrodBFAILPASSFAILFAILFAILPASS
CapitecBPASSFAILFAILFAILPASS-PASS
Standard BankCFAILFAILFAILFAILFAILFAIL
ABSAFFAILFAILFAILFAILFAILFAIL
Imperial BankFFAILPASS-PASSFAILPASS-FAIL

* Forward Secrecy

The most surprising to me was Standard Bank and ABSA, the top two largest banks in the country, are failing dismally on their SSL implementation. Imperial Bank is frightening and vulnerable to both POODLE and FREAK attacks. The smallest banks seem to score the highest and a number of South African banks don't even have internet banking such as uBank and Postbank.

Although the grades look decent overall, the amount of red is quite concerning.

Comments

Comment by Werner

I did take a look at some alternate domains for those banks and the grades were not great. The URLs tested (the ones in the links on the table) are the domains that host the internet banking portion and not necessarily the bank's main portal/website.

To be fair, only the internet banking domains were tested which are generally more secure or at least supposed to be. I used the URLs of the pages that display the login request form to access internet banking, the same pages users would land on if they went through the bank's main website and the ones where SSL is most important.

For example, Bidvest scores a B on the bank's internet banking domain "secure.bidvestbank.com", but an F of the bank's main website "bidvestbank.co.za".

Comment by William

I suspect this has a lot to do with clients using older browsers that don't support the newer protocols. In a perfect world they would immediately discontinue anything that posed a security risk but I imagine they are prioritising customer access. Unfortunately the customers with the older browsers are also the most likely to end up complaining when their internet banking stops working.

The smaller banks have fewer customers so can afford to implement quick security upgrades with less of an impact.

Comment by Werner

I agree that the banks reduce their security requirements in favour of users with older browsers, but that is no excuse to compromise everybody's security for the sake of making it easier for those users. Banks should be forcing users to be more secure, they would be worse off becoming the victim of an exploit than a few users complaining that they cannot use internet banking because they are using outdated, insecure software. You have no idea how often I see people on their laptops in public places (public WiFi) doing banking, the vast majority of the time the bank can be faulted if those ignorant users are compromised with simple SSL based exploits because those users expect the banking sites to be more secure than they actually are.

Werner
Post comment