Many people put trust in online banking, believing that if a bank does an online website, it MUST be secure. Unfortunately, that’s not always the case as sometimes to ensure maximum compatibility or due to integration with other legacy systems, banking websites may not be as secure as you think they are.
Today we’ll be looking at HTTPS vulnerabilities and we analyze Malaysia’s top banks, and we find some shocking results. We are using Qualys SSL Labs SSL Test.
Maybank2U is probably the most used Online banking facility and shockingly, it scores a F due to its support of SSL2.0 and weak ciphers.
Their site also does not implement forward secrecy.
Update: Maybank2U has upgraded their security and now scores a Grade A after retest
Maybank2E, meant for ‘enterprise customers’ is even worse with a whole plethora of security issues.
It supports insecure renegotiation which allows MITM attacks. In fact, we can test this out by just logging into Maybank2E using IE. Even after several days of leaving it idle, forcing a refresh still allows you to access all data.
It is also vulnerable to DOS attacks due to its support of client-side re-negotiation. Thankfully it does not fall into the same mistake as Maybank2U and does not accept SSL2.0. It however still accepts weak antiquated ciphers.
Update: Maybank2E has upgraded their security and now scores a Grade A after retest.
Update: Maybank responds in detail to Digital News Asia
While he says the bank welcomes the feedback from BolehVPN, Mohd Suhail Amar Suresh, head of virtual banking at Maybank, says: “In reality, Maybank’s online banking system is very complex and incorporates comprehensive systems to mitigate the risks through other means, so that the bank is able to serve mass clients who use different Internet browsers to perform their online banking transactions.”
Suhail feels that the findings need to be looked at in perspective, as he believes BolehVPN’s testing does not reflect the entire security posture of M2u and M2e.
“The testing tool used by BolehVPN, while effective to test the SSL connections of websites, cannot, in our view, be used to assess the overall security, confidentiality and protection levels of our online banking services,” he says.
SSL or Secure Sockets Layer is the technology used to establish an encrypted link between a server and a client.
Suhail says that in the case of M2u, the logins and transactions to Maybank servers can only use SSL version 3 with strong encryption (128-bit key strength), which is on par with industry best standards.
“SSL Version 2.0 is only allowed to deliver warning messages back to our customers using old browsers,” he says.
“The diversity of browsers is permitted as it is in line with the bank’s quest to be customer-centric and humanising our services to cater for differing customer technology backgrounds,’ he adds. “Note that it was due to the continued use of SSL Version 2.0 that dragged Maybank to the initial F grade.”
Suhail goes on to say that, with regard to M2e, the risk exposure is minimum as Maybank has layered security controls to protect customer information.
“Moreover, multi-level authentication is required prior to login to the system and a user can only view his or her organisation’s data. Where applicable, a one-time password (OTP) is also required for transaction authorisation,” he says.
We would add that for Maybank2E when we tested it, even where the OTP was required, if a user did not log out or close his browser (even after days), someone could force a refresh and still perform all transactions. This worked with Internet Explorer though not with other browsers. The risk here is if someone forgets to log out, many transactions can be done. It is noted that the ‘data entry account’ is different than the ‘authorizing account’ so this does offer some security, however in practice, lazy consumers could set the same password for both.
CIMBClicks fared very well. Although it does not support forward secrecy, the cipher suites it supports are all current and reasonably secure. Pretty good showing.
Public Bank is reasonably secure but is not as good as CIMBClicks due to its support of TLS version 1.0 only. Also it’s also potentially vulnerable to Denial of Service attacks due to its support of client-side re-negotiation.
Hong Leong also scored well though it only supports TLS version 1.0 and not the more secure 1.1 and 1.2.
It’s the same story with UOB Malaysia. Reasonably good security but no support of TLS 1.1 or 1.2.
Oh dear, not sure what went wrong here. We went to their online banking logon page and tested that but it returned the error:
“Assessment failed: No secure protocols supported”
I don’t have a RHB account so I can’t test it any further but it might be just a bug with the test, hopefully.
Not too bad though it doesn’t support secure re-negotiation. Might not have updated their security in a while. Also does not support latest TLS.
Update: Response from Alliance Bank taken from Digital News Asia
Khor says that this is not true as the bank hires independent consultants to conduct a quarterly penetration test on all components. Vulnerabilities are then addressed based on a low- to high-risk priority scale.
All security updates are prioritised, tested and rolled out under a planned migration approach.
He requested however that Digital News Asia not share when it did its last quarterly scan. “You don’t want to give unnecessary information away,” he says.
Commenting on not supporting secure re-negotiation, which can be likened to a handshake between client and web server, he points out that the data that has not been transmitted yet. Data transmission is actually encrypted under SSL3 (latest) which addresses the data security.
“Secure re-negotiation does not expose our clients to security breach; the latter has more to do with Distributed Denial of Service or DDoS attacks, which affect the bank’s service availability. On this point, Alliance has implemented the necessary firewalls and intrusion prevention systems where needed.”
To do this well, the bank adopts a holistic ‘defence-in-depth’ approach, he says. A term originating from the military, this is a multi-layered security designed to defend in depth.
“At any point in time, different components require different updates, which we adopt on a constant phased approach,” Khor claims.
HSBC is in the same boat as Alliance Bank.
Another failure. It scored a score of 0 out of 100 for protocol support.
Also, like Maybank2E it is vulnerable to MITM attacks because it supports insecure renegotiation and is easier to attack via DoS because it supports client-initiated renegotiation. The site is also intolerant to newer TLS protocol versions, which might cause connection failures and has compatibility issues with modern browsers. Obviously, their online banking system hasn’t been updated in a while.
This is another strong showing. Good marks all around. However unlike CIMBClicks, it does not implement server-side BEAST mitigation. However, it implements proper session resumption which CIMBClicks doesn’t.
This is rather confusing. Going to their main website there’s a warning that tells you to access it through www.bankislam.com.my only.
However, when clicking on the Internet Banking link, it redirects you to bankislam.biz which appears to be legit but the contradicting instructions does raise worries if it is indeed an official site especially since most banking websites don’t use .biz. The risk is that with the different domain usage it may open itself to phishing attacks if users are not able to easily verify which sites are actually owned by Bank Islam.
Bankislam.biz shows decent HTTPS security but is intolerant to newer TLS protocol versions, which might cause connection failures and has compatibility issues with modern browsers. It also disables secure renegotiation and does not mitigate the BEAST attack.
AmBank only scores a B due to its support for 56 bit TLS_RSA_WITH_DES_CBC_SHA cipher. It is also vulnerable to DoS attacks due to it supporting secure client-initiated renegotiation.
Pretty good. Similar results to Standard Chartered. No serious weaknesses beyond no BEAST server side mitigation.
Strong results. Similar results to Standard Chartered. No serious weaknesses beyond no BEAST server side mitigation. Slight anomaly in which citibank.com.my resolves differently than www.citibank.com.my but should be ok.
Bank Rakyat gets a B only due to their support of the 56 bit TLS_RSA_WITH_DES_CBC_SHA cipher. It is also vulnerable to DoS attacks due to it supporting secure client-initiated renegotiation.
Thankfully, most banking websites in Malaysia have reasonable HTTPS security though because of lack of support of latest TLS protocols, they are potentially vulnerable to BEAST attacks. Only CIMBClicks, Standard Chartered Bank, CitiBank and OCBC showed excellent HTTPS security. Unfortunately, most local banks do not seem to be security conscious. Maybank’s continued lack of updates on their online banking platform is worrying. For instance their Maybank2E still only works properly on Internet Explorer (and the recommended browser is still IE6). Similarly, BSN, Affin Bank’s and Bank Muamalat results are very poor.
We hope more banks take HTTPS security seriously and move forward with implementing the latest security protocols to safeguard their customers.
This is especially important since it seems Bank Negara (our national bank) is encouraging online transfers as opposed to cheques with their recent increase in cheque processing fees to RM0.50.
Using a VPN and a modern browser, would help address some of these issues and although not fool proof, would offer some protection on the end-user side though server security would still need to be fixed by the respective banks.
Lowyat has picked up our story. Thanks!
Maybank has officially responded at about 4 PM via their Facebook but no word on what steps have been taken. Maybank is currently experiencing site issues but their issues were prior to us posting our article so it is probably unrelated.
Maybank2U and Maybank2E have upgraded their HTTPS security and now score solid Grade As.
Alliance Bank and Maybank has responded in detail to Digital News Asia.