SSL implementation is poor across South African financial institutions

With the recent security issues across many South African mobile iOS applications, I thought it would be an important exercise to establish how well South African financial institutions have implemented transport layer security across their online financial services. Anyone can run the test via Qualys free SSL Server Test:

While transport layer security and the SSL implementation is only a small part of the complete security eco-system of an organisation, it is very concerning to see big financial institutions still be open to the POODLE attack, which is a serious vulnerability and was published in October 2014:

Only African Bank and Sasfin did exceptionally well with an A- grade. None of the sites tested support Forward Secrecy, which is designed to prevent the compromise of a long-term secret key from affecting the confidentiality of past conversations (several large internet companies such as Google, Twitter, Wikimedia and Facebook use PFS as a security feature).

Financial institution Grade

 

Still supports SSL 3

 

 

Still supports SHA1

 

 

No TLS 1.2 support

 

 

Still supports RC4

 

 

Forward secrecy support

 

 

POODLE vulnerability

 

African Bank A- Pass Pass Pass Pass Fail Pass
Sasfin A- Pass Pass Pass Pass Fail Pass
Bankserv B Pass Fail Fail Pass Fail Pass
Bidvest Internet Banking B Pass Pass Pass Fail Fail Pass
Capitec Internet Banking B Pass Pass Fail Fail Fail Pass
FNB Internet Banking B Pass Pass Pass Fail Fail Pass
Grindrod Bank B Fail Pass Fail Fail Fail Pass
Investec Internet Banking B Fail Fail Pass Fail Fail Pass
Nedbank Internet Banking B Pass Pass Pass Fail Fail Pass
Standard Bank Internet Banking B Pass Fail Fail Fail Fail Pass
ABSA Internet Banking F Fail Fail Fail Fail Fail Fail
ABSA Online Share Trading F Fail Fail Fail Fail Fail Fail
Bidvest Business Internet Banking F Fail Fail Fail Fail Fail Pass
Mercantile F Fail Fail Fail Fail Fail Fail

The eight B grades fail for various reasons – many still support RC4, the weak and insecure SSL 3 and lack support for TLS 1.2 (which has been supported by all current browsers since late 2013).

Both ABSA and Mercantile are exposed to the POODLE vulnerability and I did not expect to see this on many websites, especially the ones managing your finances.

Although the above results are concerning, they are certainly not uncommon when looking at the latest SSL Pulse report:

Notes:

  • I have used the SSL domain name of the financial institutions SSL login page and used Qualys to run a scan against the domain and SSL certificate – all information scanned is publicly available
  • I have forwarded a link of the above results via the financial institution’s contact forms so that their IT teams can address the issues.
  • In most cases RC4 and Perfect Forward Secrecy can only be resolved by upgrading server infrastructure (latest version of Linux and HTTP) and this is more involved then fixing a TLS, POODLE or BEAST vulnerability.
  • Thanks to Troy Hunt for the HTML table and original idea
Print Friendly, PDF & Email