The more traditional banks, do all offer internet banking (when they can keep their IT working - Yes I’m looking at you RBS Group) and all offer “helpful” tips about how you can be secure online… from installing software like Trusteer Rapport or Trust Defender, to keeping your system and security software up-to-date.
However, your connection with your banks online banking service, can only be as secure as they make it. The question is… with more and more of us using online banking, is your bank doing everything it can to make those transactions secure?
To test this, I have been using a tool provided by SSL Labs, called the SSL Server Test. It inspects the configuration of any public SSL web server (such as those used by banks for their online banking services) and grades them from A+ - F.
From the results below you will see that security implementation is hit and miss with only one bank scoring higher than B (mainly because they maintain backward compatibility).
Most UK banks do not seem to support TLS 1.1 or 1.2 despite those standards being ratified in 2006 and 2008 respectively and being supported in all modern browsers. Some banks still support the very antiquated and insecure SSL3.0 protocol.
The problem is that everyone stuck on Windows XP and still using IE6 (IE: Mum & Dad) do not have support for TLS1.0+. It is the desire to support of these antiquated OS’s and browsers which has resulted in most banks also supporting RC4 which SSL Labs have described as a “lesser evil” for those antiquated browsers which only support SSL3.0 or TLS1.0.
My view is that they should just be left without support… after all, they could install firefox… Or upgrade their machine… But as there are no publicly-known feasible attacks against RC4 I suppose it is not unreasonable to keep that cipher alive for a little longer, although Mozilla and Microsoft recommend disabling it and TLS1.3 will ban it from use in the standard.
There will shortly be a new “challenger” bank called Atom which, will not have any physical branches or ATM’s, customers interaction with their bank will be entirely through a mobile phone app.
If there are any banks which I have missed, let me know and I’ll add them in (All scores correct as of 26 June)
The Winner!
Virgin Money - A
https://www.ssllabs.com/ssltest/analyze.html?d=uk.virginmoney.com
Everyone else seemly need to copy what Virgin Money have done here and the world of internet banking would be a much better and safer place. The only bank to Score an A rating.
The Rest
Barclays - B
https://www.ssllabs.com/ssltest/analyze.html?d=bank.barclays.co.uk&s=157.83.96.200
This is going to be a common theme… Barclays use the RC4 protocol, which SSL Labs do not like one bit and are advising that sites drop RC4 or see their score capped at B.
https://community.qualys.com/blogs/securitylabs/2015/04/23/ssl-labs-rc4-deprecation-plan
Barclays have dropped support for the insecure SSL3 protocol and support both TLS 1.2 & 1.0. They don’t currently support forward secrecy (more about that is available here: https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy) simply dropping RC4 would see them achieve an A-.
Nationwide - B
https://www.ssllabs.com/ssltest/analyze.html?d=onlinebanking.nationwide.co.uk
Again, the grade is capped to a B for RC4 support.
Smile - B
https://www.ssllabs.com/ssltest/analyze.html?d=banking.smile.co.uk
A current internet only bank (although part of the Co-op). It has the same RC4 support as Barclays & Nationwide though and for the same reasons is only a B.
Co-operative Bank - B
https://www.ssllabs.com/ssltest/analyze.html?d=personal.co-operativebank.co.uk
Much the same as smile - not surprising as they are part of the same organisation.
Metro Bank - B
https://www.ssllabs.com/ssltest/analyze.html?d=personal.metrobankonline.co.uk
Metro bank also supports RC4 but only at the bottom of a long list of other Cipher Suites.
Natwest - C
https://www.ssllabs.com/ssltest/analyze.html?d=nwolb.com
Lacking support for TLS1.1 & 1.2 and but does not support RC4!! Proof that you can drop RC4 support and your customers can still access your service.
HSBC - C
https://www.ssllabs.com/ssltest/analyze.html?d=hsbc.co.uk&s=193.108.75.106&latest
Lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.
Royal Bank of Scotland - C
https://www.ssllabs.com/ssltest/analyze.html?d=rbsdigital.com
Lacking support for TLS1.1 & 1.2 and but does not support RC4.
Halifax - C (I personally think that Halifax should have been rated lower that C.)
https://www.ssllabs.com/ssltest/analyze.html?d=halifax-online.co.uk
Vulnerable to the SSL3 POOLE attack, also lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.
Lloyds Bank - C
https://www.ssllabs.com/ssltest/analyze.html?d=online.lloydsbank.co.uk
Another which is vulnerable to the SSL3 POOLE attack, also lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.
First Direct - C
https://www.ssllabs....firstdirect.com
Lacking support for TLS1.1 & 1.2 and supporting RC4
Clydesdale Bank - C
https://www.ssllabs.com/ssltest/analyze.html?d=home2.cbonline.co.uk
Lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.
Marks & Spencer Bank - C
https://www.ssllabs.com/ssltest/analyze.html?d=www7.marksandspencer.com
Lacking support for TLS1.1 & 1.2 and supporting RC4
TSB - C
https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fonline.tsb.co.uk
Lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.
Handlesbanken - C
https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fonline.tsb.co.uk
Lacking support for TLS1.1 & 1.2 and supporting RC4
Santander - C
https://www.ssllabs.com/ssltest/analyze.html?d=retail.santander.co.uk
Supports RC4 but also orders the Cipher suites badly, resulting in RC4 being used in modern browsers instead of a more secure alternative, this downgrades Santander from B to C (NOTE: From September onwards this may result in a downgrade to an F).
Sainsburys Bank - C
https://www.ssllabs.com/ssltest/analyze.html?d=online.sainsburysbank.co.uk&s=195.171.195.119&latest
Lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.
Failures
Tesco Bank - F
https://www.ssllabs.com/ssltest/analyze.html?d=tescobank.com
Oh dear, oh dear that pesky POODLE. This is an SSL/TLS problem which came to light in October 2014 (and December 2014 for TLS) and had all decent sysadmins patching their servers as soon as humanly possible. The patching is simple and doesn’t require protracted down time… there is no excuse not to apply it and because of the severity of the consequences (particularly the TLS version), SSL Labs cap any site with this problem to a FAIL.
If Tesco Bank fixed that, they would still be capped at C as for reasons only known to them, they only support TLS 1.0.
John Lewis: Partnership Card - F
https://www.ssllabs.com/ssltest/analyze.html?d=secure.partnershipcard.co.uk
Another big red F - This time for insecure client side renegotiation, but again there is only support for TLS1.0 and SSL3.
The Post Office - F
https://www.ssllabs.com/ssltest/analyze.html?d=pofssavecredit.co.uk
Vulnerable to both POODLE attacks, this site also only supports SSL3 and TLS1.0, it also supports RC4, abjectly bad implementation.