Banks vulnerable to 'low-skilled' attack but don't seem to care
More than 50 per cent of the online portals belonging to UK banks are vulnerable to low-skilled attacks, with researchers saying that the banks ‘don’t seem to care’.
A new study has revealed that just over half of the UK’s online banking websites use insecure SSL certificates, leaving customers exposed to low-skilled attacks.
Following its examination of cross-domain flaws in the UK’s 500 most popular websites last November, security firm Xiphos Research focused on specific sectors believed to be more at risk.
“The UK finance industry is one of the largest in the world, and so the logic follows should be one of the most robust from a security perspective,” said Xiphos Research co-founder Mike Kemp in a blog post.
“It was our expectation that the majority would be secure. After all, finance is a risk-averse sector. Sadly, our findings seem to contradict this.”
The firm’s examination of the UK banking sector’s online portals revealed that many sites used weak SSL implementations associated with their secure login functions.
Xiphos found that of 22 UK-owned retail banks and 37 UK building societies, half had insecure SSL instances.
This was even higher for the 25 foreign-owned retail banks operating in the UK, of which 79 per cent were found to have insecure SSL instances.
14 per cent of all the banks examined by the firm were given the lowest possible rating by Xiphos, obtaining an ‘F’ on the basis of their online security logins.
In addition to weak SSL implementations, Xiphos found that a number of authentication URLs used by the banks were vulnerable to well-known crypto-flaws, including the POODLE vulnerability uncovered by Google’s security team in October 2014.
Kemp said both the FCA and the affected banks had been unresponsive to Xiphos’ attempts to notify them, resulting in the firm’s findings eventually being presented to the National Crime Agency on 18 December.
“This research was conducted in November 2015, and it is now January 2016 and we have attempted to reach out numerous times to numerous organisations,” he said. “The impacted parties don’t seem to care.”
The firm has declined to name the banks until researchers receive confirmation that affected parties are actively mitigating the risks currently posed.