I was listening to last week’s Security Now podcast and they happen to end up checking the SSL/TLS security of Bank of America (BoA) on the SSL Labs website. They made a quite shocking discovery. The BoA website was preferring the old RC4 cipher suite to encrypt traffic over https. RC4 is now considered weak and breakable (further details here), with enough computing power.

Now it can be argued that it should be kept around for older clients to be able to connect to a secure website, but BoA wasn’t doing that. It had other, much more secure cipher suites in its arsenal, but if the client side supported RC4, then it would choose RC4 above all the others. What a dumb mistake and easy to fix. Just put the cipher suites in the correct order, starting with the most secure first and putting the likes of RC4 at the end, to be used only as a last resort.

This got me wondering about the state of online security of UK banks. Are they as bad as BoA? After all, online banking is perhaps the most sensitive activity you can perform on the web, so the security of banks online should be top notch and their servers configured properly.

So I decided to find out.

Methodology

My method was to basically do what Steve and Leo did on Security Now, perform SSL/TLS security checks using the SSL Labs SSL Server Test, but on the major UK banks. For each bank I navigated to their personal banking login page and made a note of the subdomain name. I did this because the majority of people perform personal banking on the web, not business. I then fed that domain name into the SSL server test engine.

SSL Labs gives an overall grade from A to F, along with highlighting particular issues and detailed results. Their methodolgy is given in their SSL Server Rating Guide. I present the overall grade, the most significant security issues and a link to a PDF of the full results. This has been done to preserve the results. If I use a web link, the results may change over time.

Results

So, without further ado, here is a table of results for the current state of web security with UK banks.

Bank Grade Significant Issues Full Results
Virgin Money A None PDF
Co-Operative Bank B Accepts RC4 cipher, but not preferentially. PDF
RBS B Does not support the current best TLS 1.2 protocol. PDF
HSBC B Still supports SSL 3 (obsolete and insecure). Only supports TLS 1.0 rather than TLS 1.2. Prefers RC4 cipher ahead of more secure options. PDF
TSB B Still supports SSL 3 (obsolete and insecure). Only supports TLS 1.0 rather than TLS 1.2. Prefers RC4 cipher ahead of more secure options. PDF
Santander B Accepts RC4 cipher, but not preferentially. PDF
Lloyds C Still vulnerable to the POODLE attack. Accepts RC4 cipher, but not preferentially. Still supports SSL 3 (obsolete and insecure). Only supports TLS 1.0 rather than TLS 1.2. PDF
Barclays C Still vulnerable to the POODLE attack. Accepts RC4 cipher, but not preferentially. Still supports SSL 3 (obsolete and insecure). Only supports TLS 1.0 rather than TLS 1.2. PDF
Halifax C Still vulnerable to the POODLE attack. Accepts RC4 cipher, but not preferentially. Still supports SSL 3 (obsolete and insecure). Only supports TLS 1.0 rather than TLS 1.2. PDF
Cahoot F Vulnerable to Man in the Middle attacks due to insecure renegotiation. Prefers RC4 cipher ahead of more secure options. Still supports SSL 3 (obsolete and insecure). Only supports TLS 1.0 rather than TLS 1.2. PDF

Discussion

So we have a clear winner. Well done Virgin Money, the only bank here that achieved an A grade. It’s probably not surprising they have done so well, as they are a relatively new entrant into banking and have no old, legacy systems hanging around.

The clear loser is Cahoot. It’s really quite worrying. It’s now an abandoned brand since Santander brought Abbey National and no longer accepting new customers. What's the betting they never update and fix the security issues highlight here?

The rest are all in the middle, with various issues. Lloyds, Barclays and Halifax are still vulnerable to the POODLE attack, which is very worrying. They should have upgraded their servers by now or disable SSL 3. The original announcement of this bug was October 2014.

Ironically I spotted that Barclays make some proud boosts about their security...

Setting the standard for online and mobile banking security (Barclays Security Page)

Err, no you’re not. Virgin Money is doing a better job actually. So much for ISO 27001 certification is all I can say, which Barclays claim it has.

I’m not sure how you would try to explain these security concerns to a bank. It’s not something the average customer support representative is trained to respond to. We can only hope that as they update their systems, these holes get fixed. In the mean time, there is something you can do.

Choose your browser carefully

The most shocking thing to see again is this misconfiguration of putting the RC4 cipher at the very top of the server cipher suite list. It really is unforgivable and there is no reason to do it. But HSBC, TSB and Cahoot think it’s the way to set up a secure server.

However, if you bank with one of these three, there is something you can do. Use a browser/OS combo that doesn’t even offer to make a connection using RC4. Both Internet Explorer 11 and Firefox 37 (running on Windows 8.1) don’t offer RC4, so you’ll be safer with these browser/OS configurations.

The current stable version of Google Chrome (version 42) still supports RC4, but the good news is version 44 (Canary) does not. Phew! So it will be coming to the stable channel soon.

You can check the security of your browser using the SSL Labs Client Test webpage. Using an up to date, modern browser is a great defence for most of the security issues discussed here. However, sometimes older phones and tablets don’t get updated and can be less secure. Just be mindful of what browser and OS you use to log into your bank next time.

If when you test your browser you find it is supporting SSL 3 or 2, check for any updates that are pending for the browser. If you’re up to date, check deep into the settings to see if SSL 3 is turned on. You should only have TLS 1.0 and higher enabled.

Conclusions

The state of online UK banking security is worse than you might think. When you think of a bank, you expect it to use the latest and greatest technology and have the expertise to configure their systems to the highest standards. Yet most are not. Except for one that is.

Well done Virgin Money.

Stock media provided by michaklootwijk / Pond5.com.