Today we’ll be looking at HTTPS vulnerabilities and we analyze Malaysia’s top banks, and we find some shocking results. We are using Qualys SSL Labs SSL Test. Maybank2U Grade: F Maybank2U is probably the most used Online banking facility and shockingly, it scores a F due to its support of SSL2.0 and weak ciphers. Their site also does not implement forward secrecy. Maybank2E Grade: F Maybank2E, meant for ‘enterprise customers’ is even worse with a whole plethora of security issues. It supports insecure renegotiation which allows MITM attacks. In fact, we can test this out by just logging into Maybank2E using IE. Even after several days of leaving it idle, forcing a refresh still allows you to access all data. It is also vulnerable to DOS attacks due to its support of client-side re-negotiation. Thankfully it does not fall into the same mistake as Maybank2U and does not accept SSL2.0. It however still accepts weak antiquated ciphers. CIMBClicks Grade: A CIMBClicks fared very well. Although it does not support forward secrecy, the cipher suites it supports are all current and reasonably secure. Pretty good showing. Public Bank Grade: A Public Bank is reasonably secure but is not as good as CIMBClicks due to its support of TLS version 1.0 only. Also it’s also potentially vulnerable to Denial of Service attacks due to its support of client-side re-negotiation. Hong Leong Grade: A Hong Leong also scored well though it only supports TLS version 1.0 and not the more secure 1.1 and 1.2. UOB Malaysia Grade: A It’s the same story with UOB Malaysia. Reasonably good security but no support of TLS 1.1 or 1.2. RHB Malaysia Grade: Unavailable Oh dear, not sure what went wrong here. We went to their online banking logon page and tested that but it returned the error: “Assessment failed: No secure protocols supported” I don’t have a RHB account so I can’t test it any further but it might be just a bug with the test, hopefully. Alliance Bank Grade: A Not too bad though it doesn’t support secure re-negotiation. Might not have updated their security in a while. Also does not support latest TLS. HSBC Malaysia Grade: A HSBC is in the same boat as Alliance Bank. Affin Bank Grade: F Another failure. It scored a score of 0 out of 100 for protocol support. Also, like Maybank2E it is vulnerable to MITM attacks because it supports insecure renegotiation and is easier to attack via DoS because it supports client-initiated renegotiation. The site is also intolerant to newer TLS protocol versions, which might cause connection failures and has compatibility issues with modern browsers. Obviously, their online banking system hasn’t been updated in a while. Standard Chartered Malaysia Grade: A This is another strong showing. Good marks all around. However unlike CIMBClicks, it does not implement server-side BEAST mitigation. However, it implements proper session resumption which CIMBClicks doesn’t. Bank Islam Grade: A This is rather confusing. Going to their main website there’s a warning that tells you to access it through bankislam.my only. bankislam However, when clicking on the Internet Banking link, it redirects you to bankislam.biz which appears to be legit but the contradicting instructions does raise worries if it is indeed an official site especially since most banking websites don’t use .biz. The risk is that with the different domain usage it may open itself to phishing attacks if users are not able to easily verify which sites are actually owned by Bank Islam. Bankislam.biz shows decent HTTPS security but is intolerant to newer TLS protocol versions, which might cause connection failures and has compatibility issues with modern browsers. It also disables secure renegotiation and does not mitigate the BEAST attack. AmOnline Grade: B AmBank only scores a B due to its support for 56 bit TLS_RSA_WITH_DES_CBC_SHA cipher. It is also vulnerable to DoS attacks due to it supporting secure client-initiated renegotiation. OCBC Grade: A Pretty good. Similar results to Standard Chartered. No serious weaknesses beyond no BEAST server side mitigation. Bank Muamalat Grade: F Horrible. Similar to Maybank2E. Allows insecure client initiated renegotiation that increases chance of MITM attacks. It’s also more vulnerable to DOS attacks. Bank Simpanan Nasional Grade: F Another big fail. Allows insecure client initiated renegotiation that increases chance of MITM attacks. It’s also more vulnerable to DOS attacks. CitiBank: Grade A Strong results. Similar results to Standard Chartered. No serious weaknesses beyond no BEAST server side mitigation. Slight anomaly in which citibank.my resolves differently than citibank.my but should be ok. Bank Rakyat: Grade B Bank Rakyat gets a B only due to their support of the 56 bit TLS_RSA_WITH_DES_CBC_SHA cipher. It is also vulnerable to DoS attacks due to it supporting secure client-initiated renegotiation. Summary Thankfully, most banking websites in Malaysia have reasonable HTTPS security though because of lack of support of latest TLS protocols, they are potentially vulnerable to BEAST attacks. Only CIMBClicks, Standard Chartered Bank, CitiBank and OCBC showed excellent HTTPS security. Unfortunately, most local banks do not seem to be security conscious. Maybank’s continued lack of updates on their online banking platform is worrying. For instance their Maybank2E still only works properly on Internet Explorer (and the recommended browser is still IE6). Similarly, BSN, Affin Bank’s and Bank Muamalat results are very poor. We hope more banks take HTTPS security seriously and move forward with implementing the latest security protocols to safeguard their customers. This is especially important since it seems Bank Negara (our national bank) is encouraging online transfers as opposed to cheques with their recent increase in cheque processing fees to RM0.50. Using a VPN and a modern browser, would help address some of these issues and although not fool proof, would offer some protection on the end-user side though server security would still need to be fixed by the respective banks. Sumber: bolehvpn.net
Posted on: Tue, 29 Oct 2013 07:00:01 +0000