{"id":1734,"date":"2015-05-05T23:59:41","date_gmt":"2015-05-05T21:59:41","guid":{"rendered":"http:\/\/www.greenman.co.za\/blog\/?p=1734"},"modified":"2015-05-06T00:27:38","modified_gmt":"2015-05-05T22:27:38","slug":"south-african-banks-ssl-security","status":"publish","type":"post","link":"https:\/\/www.greenman.co.za\/blog\/?p=1734","title":{"rendered":"South African Banks SSL Security"},"content":{"rendered":"

After coming across an article testing the security of the SSL implementations of Australian banks<\/a>, I decided to run the same tests on the South African banks, using SSL Lab’s SSL Server Test<\/a>. I have a little bit of inside info into some of the banks systems, so was not too surprised how bad the results were.<\/p>\n\n\n\n\n\n\n\n
Bank<\/th>\nOverall Grade<\/th>\nProtocol Support<\/th>\nKey Exchange<\/th>\nCipher Strength<\/th>\n<\/tr>\n
Capitec<\/a><\/td>\nA-<\/td>\n95<\/td>\n80<\/td>\n90<\/td>\n
FNB<\/a><\/td>\nB<\/td>\n95<\/td>\n80<\/td>\n90<\/td>\n
Nedbank<\/a><\/td>\nB<\/td>\n70<\/td>\n90<\/td>\n80<\/td>\n
Absa<\/a><\/td>\nF<\/td>\n0<\/td>\n90<\/td>\n90<\/td>\n<\/tr>\n
Standard<\/a><\/td>\nF<\/td>\n0<\/td>\n0<\/td>\n60<\/td>\n<\/tr>\n<\/table>\n

None of the banks score an A (they all fail with Forward Secrecy), but pick of the bunch was Capitec, whose only only other failing was using a relatively weak signature.<\/p>\n

FNB is limited to a B by accepting the weak RC4 cipher, and Nedbank adds supporting only older protocols to the list of failings.<\/p>\n

You’d hope for better security from banks, but the failings of Capitec, FNB and Nedbank are not too serious. On to the others…<\/p>\n

Absa has all of the above failings, does not support secure renegotiation, uses the obsolete SSL3, and most dismally of all, is vulnerable to the POODLE attack against TLS servers<\/a>.<\/p>\n

Although Standard Bank also gets an F, it stands alone in the number of criteria it failed. It uses the even more old and insecure SSL 2, supports insecure Diffie-Hellman (DH) key exchange parameters, supports 512-bit export suites and might be vulnerable to the FREAK attack<\/a> as well as being vulnerable to POODLE.<\/p>\n

It’s quite astounding that Standard Bank may still be still vulnerable to the FREAK attack, which has been known about for over two months, and which is extremely serious.<\/p>\n

These results match the banks scores in other areas as well, such as bank fees<\/a> and customer satisfaction<\/a>. So Standard Bank clients will be happy to know they’re not only with the least secure bank, but also with the most expensive and the one with the worst customer service.<\/p>\n

Related Posts:<\/p>\n