Maybank Improves HTTPS security, joins top ranks while BSN, Affin and Muamalat remain at Grade F

How secure is your bank's website? Comparing Malaysian banks' HTTPS security
October 28, 2013
Australian Embassies: Spying on us
October 31, 2013
Show all

Maybank Improves HTTPS security, joins top ranks while BSN, Affin and Muamalat remain at Grade F

Cyber Security

It’s been 3 days since we first posted our tests on Malaysian banks which gained quite a lot of publicity. Thanks to everyone who shared and spread the word. Let’s see who has taken it to heart and upgraded their security? We are only retesting those sites that scored an F rating which were:

  1. Maybank2u/Maybank2e
  2. Affin Bank
  3. Bank Muamalat
  4. Bank Simpanan Nasional

and also those who scored a B rating which were

  1. AmBank
  2. Bank Rakyat

Maybank2U: Grade A

Maybank now becomes one of the top ranking banking websites in Malaysia and in some cases in case of RC4 support and Session resumption, is even better than CIMBClicks. It is reassuring to see the speed in which this was resolved. It even supports TLS1.1 and 1.2 now!

There were quite a few people who complained that we were paid to do a smear campaign on Maybank but this is far from the truth. Others expressed that Maybank2U required the SSL2.0 support for people who could not upgrade from IE6. We responded to say that IE6.0 with service packs installed did indeed have SSL3.0 support and that insecure protocols should not be tolerated lest it give the false sense of security to users. We have been validated by Maybank  fixing these issues on their site within 2 days.

Maybank2U update

 

Maybank2E Grade A

I was a bit concerned when running this test as I worried that the Maybank2E system which appears to be based on older programming would still retain the vulnerabilities to maintain compatibility. However these fears were unfounded and it scored a solid Grade A rating.

There are slight differences which netted it lower scores than Maybank2u due to its lack of support of TLS 1.1 and 1.2, RC4 support and lack of secure renegotiation. These problems are not critical by themselves though it would be nice to see this implemented in the future.

maybank2e

Unfortunately Bank Simpanan Nasional, Affin Bank, Bank Muamalat remained at Grade F. AmOnline and Bank Rakyat maintained their B ratings. We remained unable to test RHB. Some people thought this meant that RHB had better security, but this is not necessarily so, it just means it could not be tested due to some error either with the test script or with the website itself.

3 Comments

  1. Shock says:

    Thanks a lot for the initiative to work on this. Since Maybank2u just upgraded their security step, do you advise current user to change their log in password?

  2. Pitboss says:

    Changing password is always good. Do this every 30 days if you frequently used your accounts. If you are accessing your account using wi-fi (public or at home), then you are better off having a VPN. Apparently hacking thru a wi-fi is something a year one IT student can do. http://lifehacker.com/5953047/how-to-crack-wep-and-wpa-wi+fi-passwords
    This advise goes to everyone else using Wi-Fi. I guess Reuben should start doing an article on this.

  3. Shock says:

    Ok. Thanks for the good advice. Hope to see if able to know about VPN arricle. Which its new phrase for me. Thanks again

Leave a Reply

Your email address will not be published. Required fields are marked *