How secure is your bank's website? Comparing Malaysian banks' HTTPS security

VPN package streamlining
October 23, 2013
Maybank Improves HTTPS security, joins top ranks while BSN, Affin and Muamalat remain at Grade F
October 31, 2013
Show all

How secure is your bank's website? Comparing Malaysian banks' HTTPS security

internet banking

Many people put trust in online banking, believing that if a bank does an online website, it MUST be secure. Unfortunately, that’s not always the case as sometimes to ensure maximum compatibility or due to integration with other legacy systems, banking websites may not be as secure as you think they are.

Today we’ll be looking at HTTPS vulnerabilities and we analyze Malaysia’s top banks, and we find some shocking results. We are using Qualys SSL Labs SSL Test.

Maybank2U Grade: F

Maybank2U is probably the most used Online banking facility and shockingly, it scores a F due to its support of SSL2.0 and weak ciphers.

Their site also does not implement forward secrecy.

Update: Maybank2U has upgraded their security and now scores a Grade A after retest

Maybank2E Grade: F

Maybank2E, meant for ‘enterprise customers’ is even worse with a whole plethora of security issues.

It supports insecure renegotiation which allows MITM attacks. In fact, we can test this out by just logging into Maybank2E using IE. Even after several days of leaving it idle, forcing a refresh still allows you to access all data.

It is also vulnerable to DOS attacks due to its support of client-side re-negotiation. Thankfully it does not fall into the same mistake as Maybank2U and does not accept SSL2.0. It however still accepts weak antiquated ciphers.

Update: Maybank2E has upgraded their security and now scores a Grade A after retest.

Update: Maybank responds in detail to Digital News Asia

While he says the bank welcomes the feedback from BolehVPN, Mohd Suhail Amar Suresh, head of virtual banking at Maybank, says: “In reality, Maybank’s online banking system is very complex and incorporates comprehensive systems to mitigate the risks through other means, so that the bank is able to serve mass clients who use different Internet browsers to perform their online banking transactions.”
 
Suhail feels that the findings need to be looked at in perspective, as he believes BolehVPN’s testing does not reflect the entire security posture of M2u and M2e.
 
“The testing tool used by BolehVPN, while effective to test the SSL connections of websites, cannot, in our view, be used to assess the overall security, confidentiality and protection levels of our online banking services,” he says.
 
SSL or Secure Sockets Layer is the technology used to establish an encrypted link between a server and a client.
 
Suhail says that in the case of M2u, the logins and transactions to Maybank servers can only use SSL version 3 with strong encryption (128-bit key strength), which is on par with industry best standards.
 
“SSL Version 2.0 is only allowed to deliver warning messages back to our customers using old browsers,” he says.
 
“The diversity of browsers is permitted as it is in line with the bank’s quest to be customer-centric and humanising our services to cater for differing customer technology backgrounds,’ he adds. “Note that it was due to the continued use of SSL Version 2.0 that dragged Maybank to the initial F grade.”

Suhail goes on to say that, with regard to M2e, the risk exposure is minimum as Maybank has layered security controls to protect customer information.
 
“Moreover, multi-level authentication is required prior to login to the system and a user can only view his or her organisation’s data. Where applicable, a one-time password (OTP) is also required for transaction authorisation,” he says.

We would add that for Maybank2E when we tested it, even where the OTP was required, if a user did not log out or close his browser (even after days), someone could force a refresh and still perform all transactions. This worked with Internet Explorer though not with other browsers. The risk here is if someone forgets to log out, many transactions can be done. It is noted that the ‘data entry account’ is different than the ‘authorizing account’ so this does offer some security, however in practice, lazy consumers could set the same password for both.

CIMBClicks Grade: A

CIMBClicks fared very well. Although it does not support forward secrecy, the cipher suites it supports are all current and reasonably secure. Pretty good showing.

Public Bank Grade: A

Public Bank is reasonably secure but is not as good as CIMBClicks due to its support of TLS version 1.0 only. Also it’s also potentially vulnerable to Denial of Service attacks due to its support of client-side re-negotiation.

Hong Leong Grade: A

Hong Leong also scored well though it only supports TLS version 1.0 and not the more secure 1.1 and 1.2.

UOB Malaysia Grade: A

It’s the same story with UOB Malaysia. Reasonably good security but no support of TLS 1.1 or 1.2.

RHB Malaysia Grade: Unavailable

Oh dear, not sure what went wrong here. We went to their online banking logon page and tested that but it returned the error:

“Assessment failed: No secure protocols supported”

I don’t have a RHB account so I can’t test it any further but it might be just a bug with the test, hopefully.

Alliance Bank Grade: A

Not too bad though it doesn’t support secure re-negotiation. Might not have updated their security in a while. Also does not support latest TLS.

Update: Response from Alliance Bank taken from Digital News Asia

Khor says that this is not true as the bank hires independent consultants to conduct a quarterly penetration test on all components. Vulnerabilities are then addressed based on a low- to high-risk priority scale.

All security updates are prioritised, tested and rolled out under a planned migration approach.

He requested however that Digital News Asia not share when it did its last quarterly scan. “You don’t want to give unnecessary information away,” he says.

Commenting on not supporting secure re-negotiation, which can be likened to a handshake between client and web server, he points out that the data that has not been transmitted yet. Data transmission is actually encrypted under SSL3 (latest) which addresses the data security.

“Secure re-negotiation does not expose our clients to security breach; the latter has more to do with Distributed Denial of Service or DDoS attacks, which affect the bank’s service availability. On this point, Alliance has implemented the necessary firewalls and intrusion prevention systems where needed.”

To do this well, the bank adopts a holistic ‘defence-in-depth’ approach, he says. A term originating from the military, this is a multi-layered security designed to defend in depth.

“At any point in time, different components require different updates, which we adopt on a constant phased approach,” Khor claims.

HSBC Malaysia Grade: A

HSBC is in the same boat as Alliance Bank.

Affin Bank Grade: F

Another failure. It scored a score of 0 out of 100 for protocol support.

Also, like Maybank2E it is vulnerable to MITM attacks because it supports insecure renegotiation and is easier to attack via DoS because it supports client-initiated renegotiation. The site is also intolerant to newer TLS protocol versions, which might cause connection failures and has compatibility issues with modern browsers. Obviously, their online banking system hasn’t been updated in a while.

Standard Chartered Malaysia Grade: A

This is another strong showing. Good marks all around. However unlike CIMBClicks, it does not implement server-side BEAST mitigation. However, it implements proper session resumption which CIMBClicks doesn’t.

Bank Islam Grade: A

This is rather confusing. Going to their main website there’s a warning that tells you to access it through www.bankislam.com.my only.

bankislam

However, when clicking on the Internet Banking link, it redirects you to bankislam.biz which appears to be legit but the contradicting instructions does raise worries if it is indeed an official site especially since most banking websites don’t use .biz. The risk is that with the different domain usage it may open itself to phishing attacks if users are not able to easily verify which sites are actually owned by Bank Islam.

Bankislam.biz shows decent HTTPS security but is intolerant to newer TLS protocol versions, which might cause connection failures and has compatibility issues with modern browsers. It also disables secure renegotiation and does not mitigate the BEAST attack.

AmOnline Grade: B

AmBank only scores a B due to its support for 56 bit TLS_RSA_WITH_DES_CBC_SHA cipher. It is also vulnerable to DoS attacks due to it supporting secure client-initiated renegotiation.

OCBC Grade: A

Pretty good. Similar results to Standard Chartered. No serious weaknesses beyond no BEAST server side mitigation.

Bank Muamalat Grade: F

Horrible. Similar to Maybank2E. Allows insecure client initiated renegotiation that increases chance of MITM attacks. It’s also more vulnerable to DOS attacks.

Bank Simpanan Nasional Grade: F

Another big fail. Allows insecure client initiated renegotiation that increases chance of MITM attacks. It’s also more vulnerable to DOS attacks.

CitiBank: Grade A

Strong results. Similar results to Standard Chartered. No serious weaknesses beyond no BEAST server side mitigation. Slight anomaly in which citibank.com.my resolves differently than www.citibank.com.my but should be ok.

Bank Rakyat: Grade B

Bank Rakyat gets a B only due to their support of the 56 bit  TLS_RSA_WITH_DES_CBC_SHA cipher. It is also vulnerable to DoS attacks due to it supporting secure client-initiated renegotiation.

Summary

Thankfully, most banking websites in Malaysia have reasonable HTTPS security though because of lack of support of latest TLS protocols, they are potentially vulnerable to BEAST attacks. Only CIMBClicks, Standard Chartered Bank, CitiBank and OCBC showed excellent HTTPS security. Unfortunately, most local banks do not seem to be security conscious. Maybank’s continued lack of updates on their online banking platform is worrying. For instance their Maybank2E still only works properly on Internet Explorer (and the recommended browser is still IE6). Similarly, BSN, Affin Bank’s and Bank Muamalat results are very poor.

We hope more banks take HTTPS security seriously and move forward with implementing the latest security protocols to safeguard their customers.

This is especially important since it seems Bank Negara (our national bank) is encouraging online transfers as opposed to cheques with their recent increase in cheque processing fees to RM0.50.

Using a VPN and a modern browser, would help address some of these issues and although not fool proof, would offer some protection on the end-user side though server security would still need to be fixed by the respective banks.

Update:

Lowyat has picked up our story. Thanks!

Maybank has officially responded at about 4 PM via their Facebook but no word on what steps have been taken. Maybank is currently experiencing site issues but their issues were prior to us posting our article so it is probably unrelated.

maybank2u response

Maybank2U and Maybank2E have upgraded their HTTPS security and now score solid Grade As.

Alliance Bank and Maybank has responded in detail to Digital News Asia.

41 Comments

  1. Eric Ong says:

    You forgot to test Affin Bank.

  2. Passerby says:

    How about Standard Chartered?

  3. Reuben says:

    @Eric Ong
    Have added Affin Bank’s results. Another F rating.

    @Passerby
    Standard Chartered excelled 😀 Added it in.

    Thanks for the feedback!

  4. Passerby2 says:

    Shocking F for Maybank2U. As I write, their website is unstable the past 1 hour – alternating between being totally down, or just plain slow or just kicking you out with a weird error message.

  5. ac says:

    what about citibank and UOB?

  6. zeleecher says:

    Yep. Very shocking for Maybank2u. Used it quite a bit as it is convenient. Looks like gotta move my $$$ elsewhere.

  7. hurtnet says:

    yea f*** hw come maybank like dat, ive been using it a lot, transfering fund to public like this

  8. Lil_Miss_Maniac says:

    Great work! Appreciate it.

    What about OCBC? 🙂

  9. Thai Hau says:

    How about BSN and Bank Muamalat?

  10. SV Singam says:

    Fortunately I have already migrated most of my banking to Public Bank. I did this after the news broke that Maybank would only do business with companies that had 50% Bumiputra equity, which immediately shafted all single-owner non-Bumi contractors. There is no reason for the Malaysian public to tolerate such racist institutions.

    The trouble is, the Melaka water supplier, SAMB only allows payments through Maybank or CIMB. I don’t want to open a CIMB account just to pay SAMB. So I still use Maybank2U.

  11. pengkomen says:

    hi, whres bank rakyat?

  12. icut3 says:

    So the gold standard in security ( in https ) is achieving “Perfect Forward Secrecy” which is NONE available. Considering amount of resources & regulation in Malaysia pretty much taken for granted by banks and financial institutions. They need to be whack with stick by Bank Negara before making good improvement.

    Why Pushing for Perfect Forward Secrecy, an Important Web Privacy Protection?:

    “Sites that use perfect forward secrecy can provide better security to users in cases where the encrypted data is being monitored and recorded by a third party. That particular threat may have once seemed unlikely, but we now know that the NSA does exactly this kind of long-term storage of at least some encrypted communications as they flow through telecommunications hubs, in a collection effort it calls “upstream.” source: https://www.eff.org/deeplinks/2013/08/pushing-perfect-forward-secrecy-important-web-privacy-protection

    I wish bolehVPN could test Malaysia (federal & states) government & it agencies website as well.

  13. Joseph says:

    Considering I’m a user of Maybank2u, PBeBank and RHB, I frequently encounters problem with accessing M2U because of speed issues or sometimes server issue which makes accessing my account impossible.

    I’ve never encounter this kind of problem with PBeBank and RHB.
    M2U really needs to take many steps further in improving their service quality and security after seeing this post.
    However, M2U really excels at variety of bill payments which makes me use them regardless.

    Fortunately, M2U provides such a broad support for various SSL/TLS version and level of encryptions probably because of compatibility concern. As long as you’re using latest browsers, you will be using latest version and strongest encryption.
    Eg. My most updated Chrome on Win8 is connected to http://www.maybank2u.com.my with TLS 1.2 and encrypted with AES_256_CBC.

  14. Han says:

    Reuben, could you explain to me what forward secrecy is in a nutshell? I clicked on the link, but I don’t know enough about servers to make sense of it.

    • Reuben says:

      Han: Basically it’s a fallback. If perfect forward secrecy is not implemented, people who record all these encrypted transmissions can take their time to break it and later if they derive the secret key, all those transmissions that were recorded can be broken.

      With PFS, even if the secret key is derived, because they don’t have the session key (which changes), the intercepted encrypted data is protected from prying eyes long into the future.

      https://www.eff.org/deeplinks/2013/08/pushing-perfect-forward-secrecy-important-web-privacy-protection
      has a good detailed explanation and why with the NSA recording encrypted streams, this becomes more important.

  15. Super Pro says:

    What a shame. Maybank was founded by a Chinese. and now they are as bad as bumi banks.

  16. CFF says:

    Before you give your verdict merely based on a scanner SSL scan results, give a thought about the business implication of supporting backward compatibility using SSL 2.0. There are still a lot of users who are not tech savvy that depending on older browser for their banking needs.

    • Reuben says:

      CFF: The only site that has this issue is Maybank2u with their support of SSL 2.0. All other bank’s websites rightfully disable this. The other vulnerabilities are different that give them the F rating. Since IE7 which was released in 2006, SSL2.0 has been deprecated. In fact, the insistence of use of IE6 in many banking websites contribute to more issues for people with newer computers. For instance Maybank2E does not seem to work properly on newer versions of IE past IE7. It does not work on Chrome or Firefox either for certain features. Windows 7 is by far the most widely used OS now and to force people to stick to an older browser is not acceptable. It’s not even easy to get IE6 even if you wanted to.

      If all other banks can do it, why only Maybank insists to remain in the past recommending a browser (IE6) that was was released more than 12 years ago?

  17. InvinceZ says:

    test lowyat.net and forum.lowyat.net itself see it secure or not

    • Reuben says:

      Lowyat scores an A for their forum but an F for their website. Though even if Lowyat was insecure, the ramifications are not as bad as an online banking. Considering that the lowyat page itself probably doesn’t do any transactional work, this isn’t an issue.

      Their shopping site, StoreKini scores an A too.

  18. Joseph says:

    ^+1

    Even IE6 supports SSL 3.0. There is reason why Qualys decides whoever supports SSL 2.0 will be graded F.
    Not to mention whoever that’s non tech savvy will be visiting a physical branch rather than using eBanking.

  19. Pitboss says:

    @CFF
    What BolehVPN has done is to do this test on their own initiatives and published our findings for the public to know. Whether IE6 or IE10 supports this or that is not relevant. What relevant is this question, should the graded F banks take the necessary steps now or wait until someone actually hacked into their system or wait until someone from the authorities come knocking?
    Interestingly Maybank is currently running an Internet security awareness campaign with Cybersecurity Malaysia to the general public and I wonder what will they say to the public on this matter. Shouldn’t they be telling their users to upgrade for security reasons rather than exposing the risks to their account holders?

  20. werwick says:

    0cbc always A+++++ grade ..!!

  21. thomas says:

    another movement to sabo MBB.. hopefully not from red bean army movement.

  22. hhe says:

    So is there anything that maybank2u users can do to protect themselves, or should we just migrate to another bank?

  23. icut3 says:

    Super Pro:

    It has nothing to do with race. It’s just pure secure or Not secure!

    Pitboss:
    What relevant is this question, should the graded F banks take the necessary steps now or wait until someone actually hacked into their system or wait until someone from the authorities come knocking?

    As NSA-SNOWDEN scandal revealed, without the industries gold standard as benchmark like Google security approach, http://threatpost.com/google-strengthening-keys-on-ssl-certificates-to-2048-bits/100759 , and increase of sophicated attack on SSL, http://threatpost.com/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312/77006 & proper implementation of PFS – it just the matter of time as probably “hackers” has stole the data but have not taken the time to break it apart.

    The banks are NOT doing ENOUGH!

    Remember, you PAY for the service!

    @hhe: I would recommend you log a complaint to related authority with has power to regulate the banking industries – BN and MCMC. Never take for granted for your data protection. The customers are protected by regulators (BN & MCMC) and latest
    Personal Data Protection Act 2010 (PDPA) , http://www.digitalnewsasia.com/insights/pdpa-businesses-have-responsibilities-and-burdens & http://www.loyarburok.com/2010/04/13/awakening-to-a-new-dawn-part-1/

    You money is safe in the banks but the your bank informations record errr… (just pray to god)!

  24. Lee Roy says:

    @thomas, yea lowyat.net I guess it’s mainly for editorial thus there isn’t much need for high encryption also that they need to link images from outside also include outside links on their editorial hence the score

    as for it’s their online shopping site, pretty good I would say.

    Maybank2u does really need to buck up and remove their support for ssl2.0 on both their SSL certificate as well as their firewalls.

  25. Jemmysan says:

    I tested maybank2u.com.my and the grade is A, not F.
    Here’s the test result:
    https://www.ssllabs.com/ssltest/analyze.html?d=maybank2u.com.my

    If you type maybank2u.com, it’ll be directed automatically to maybank2u.com.my

  26. Joseph says:

    @Jemmysan Looks like had made Banks to step up their security. They’ve removed support for obsolete SSL 2.0 and only left with at least 168 bit encryption. Still no Forward Secrecy but should be decent now. Thumbs up, BolehVPN!

  27. Pitboss says:

    Congratulations to Maybank for finally updating their server security settings. Took them 48 hours to respond but respond they did. Now let’s see if those with an F going to follow suit or not. Good job to all, especially BOLEHVPN for highlighting this and to LYN and many other sites that helps to spread the news. Thank you guys.

  28. SecurityNobody says:

    this has been a known issue for years now, compatibility & business implication has been a major issue in getting the banks to agree to upgrade their SSL facility/ disable vuln ciphers etc…and there is this ethical thing about exposing vuln, dont see it mentioned anywhere in your post did you guys submit this to the banks first before going public? the vuln may not be big but those banks scoring F’s and so on are now officially putting their users on risk…kiddies with tools shall now go for this banks aiming their innocent users..indeed its the banks fault but users pay the price?

  29. Reuben says:

    SecurityNobody:

    Obviously for Maybank this compatibility argument wasn’t an issue given that they managed to upgrade it pretty quickly. Kinda shows that perhaps they did not have a routine security audit. We did contact Maybank several months ago about the vulnerability but were ignored. It wasn’t the first time it was brought up as http://www.keithrozario.com/2013/06/how-secure-is-your-ssl.html did mention it way back in June. Chances are if the ‘kiddies with tools’ have the technical ability to take advantage of these vulnerabilities, they would already know about them.

  30. Learn the ethics about vulnerability exposure first before coming out with such article. Even if you’re a hired pentester by the banks, there are bound to be non-disclosures. At most I would see this as a lame attention-seeking effort – and dare I say hoping to fish a job in infosec. It just demonstrate the lack of professionalism and ethics. And yes, I concur with SecurityNobody above.

  31. SecurityNobody says:

    Reuben:

    Trust me they knew this for years, i do this for a “career” and seen worst then this vulns on the banking apps and oh yes they have a routine audit report twice a year which is ignored or the vuln is rated as low risk same as ignored to me..and the kiddies arent that advanced yet..most just sit and wait for someone to bring it up thus they are called kiddies…but i applaud your effort in bringing this up but please do mention that you ethically exposed this first…

  32. Reuben says:

    @SecurityNoOne

    For your info I’m no pen-tester nor any security expert. I leave that to my tech partner. I’m a lawyer by profession and I had called bank staff up especially those of which I have my money there of these vulnerabilities but they assured me that they were ‘looking into it’.

    In fact for Maybank, I told them last year about some of the security issues I found in my own use (such as being able to continue to access all banking functions with IE after days just by forcing a refresh and resubmitting data), and I was told that they were revamping it this year completely but this promise was obviously empty. I had also told them at least twice this year but was given that stock response that ‘don’t worry’ or ‘we will look into it’.

    The ‘vulnerabilities’ that I ‘exposed’ were not some secret 0 day exploit. It was results from a ready made tool publicly accessible on an issue that it seems everyone in the local IT security industry know for years and because of their contractual obligations or ethics code or whatever, are not allowed to disclose it to the public.Heck, you mention that these banks run audit reports so they should frickin know about this but as you said they ignore it? In this scenario, I believe they do not deserve any further leeway especially when I had told Maybank on 3 separate occasions. Perhaps I wasn’t speaking to the right people?

    I think it would be more unethical to let it continue to be the status quo especially if the banks knew it for years. In my opinion, even if I didn’t inform them previously, the fact that they know about it absolves me from having any qualms of disclosing it. I’m not bound by any NDA to these banks. So many people argue for ‘compatibility’ but the fact that other banks work fine with the higher security settings and more importantly, that it was fixed in less than 2 days just throws these arguments out of the window. Just because to upgrade your system to update would be ‘expensive’ is a poor excuse for banks of this size. Where there’s a will, there’s a way and at the end of the day, this article shook them up to make rapid changes which would otherwise might have dragged on for god knows how long more.

    Affin Bank are also relooking into their security. If Bank Muamalat and BSN still don’t respond (even after I tagged them on Facebook with their official Facebook accounts), in my opinion that’s their problem and their responsibility should they not take action in securing their customer’s data. I’m sure there are legal recourse options should these customers lose money because of their negligence and I doubt the banks would let it come to that.

    Also, for the record,I would hate to have a job in infosec if all I do is have my audit reports ignored T_T

  33. Ray says:

    Any updates to these statistics since 2013?

Leave a Reply

Your email address will not be published. Required fields are marked *