After seeing someone’s Facebook security horror story about a local credit card (not one of the banks listed below), I was inspired to re-run the tests I previously ran on the South African banks, using SSL Lab’s SSL Server Test.
The results last time were awful, with Standard Bank and Absa falling way below the acceptable standard. This time, I was pleasantly surprised (previous results in brackets).
|Ranking||Bank||Overall Grade||Protocol Support||Key Exchange||Cipher Strength|
|1||FNB||A+ (B)||95 (95)||90 (80)||90 (90)|
|2||Nedbank||A (B)||95 (70)||90 (90)||90 (80)|
|3||Capitec||A- (A-)||95 (95)||90 (80)||90 (90)|
|Absa||A- (F)||95 (0)||90 (90)||90 (90)|
|Standard||A- (F)||95 (0)||90 (0)||90 (60)|
All of the banks have improved their scores. Capitec, which has dropped from first to third, still does not support Forward Secrecy, but has improved its key exchange ranking from 80% to 90%.
FNB, which jumped from second to first, has deployed HTTP Strict Transport Security (HSTS) with long duration. FNB gets the only A+ ranking.
Nedbank, which jumped from third to second, has improved from a B to an A, improving its protocol support and cipher strength rankings.
Absa and Standard Bank have both improved from F’s to A-‘s, and are joint third with Capitec. To put things in perspective, their rankings would have put them top during the previous test. So all banks are doing better than the best bank in May 2016. With no-one talking of a big four anymore (Capitec now outrank Nedbank in some metrics), perhaps little bit of competition is helping after all.