Internet banking is quickly becoming commonplace. According to Statistic Brain, almost 70 million Americans now conduct banking transactions online. Ninety percent check account balances, and almost half transfer money between accounts. It stands to reason, then, that banks would make Web-based protection a top priority. But as research firm Xiphos recently discovered, some have shockingly poor SSL security and “don’t seem to care,” according to the organization.
Open Vaults Due to SSL Security
According to SC Magazine, when Xiphos took a hard look at some of the biggest U.K.-owned and foreign banks, they discovered widespread use of old SSL standards, putting customer data at risk from even relatively unsophisticated cybercriminals with knowledge of any SSL threat from the past few years.
The security firm found 50 percent of 22 U.K.-owned retail banks were still using vulnerable SSL certificates, while 79 percent of the top 25 foreign-owned banks in the country were also at risk. Just over 10 percent of all banks tested earned an F grade for their SSL use; co-founder Mike Kemp of Xiphos described this state of affairs as “shockingly bad.”
Just how bad is it? By refusing to update SSL security, banks put customers at risk of man-in-the-middle (MitM) attacks such as 2014’s POODLE and in harm’s way of even older problems such as CRIME, which surfaced in 2012. Many are still using SHA-1 hashing and the RC4 crypto cypher even though problems with SHA-1 emerged a decade ago and, as of this year, Microsoft will no longer accept these certificates. Attacks on RC4 have also been public knowledge for several years.
While Xiphos has reached out to the affected banks, the company has only heard back from “first-line customer services staff.” As a result, it notified the National Crime Agency but declined to give specific bank names until there is some confirmation that these institutions are working toward a fix.
Kicking and Screaming?
While the lack of response from major banks seems strange at first glance, it’s not all that surprising. The typical financial industry response to tech changes and challenges has been to ignore these issues until there’s no other choice. In the U.S., at least, there’s a push for stronger security measures; as noted by American Banker, the state of New York is hoping to mandate two-factor authentication and appoint of a Chief Information Security Officer (CISO) for all banks under its jurisdiction.
As the American Banker piece pointed out, however, this kind of lawmaking could force banks to the fight the “last war” when there are other, more pressing cyberthreats to tackle. The same could be said of SSL security: While banks are certainly remiss in staying up to date, Security News Desk noted that the supposed protection offered by SSL may be vastly overstated, especially as criminals find new ways to crack cyphers and use SSL services to obstruct their own activities.
So where does this leave banks? They’re behind the SSL security curve, absolutely, but playing catch-up here may actually do more harm than good. Instead of tackling last year’s problems, financial institutions may be better served adopting a new strategy, one that focuses on active detection and threat mitigation rather than a largely idle defense that relies on constant updates to ensure maximum protection.
It’s not an easy road or a quick trip, but it may be worthwhile since there’s only so long consumers are willing to contend with “shockingly bad” treatment of their personal and financial data.