It’s been 3 days since we first posted our tests on Malaysian banks which gained quite a lot of publicity. Thanks to everyone who shared and spread the word. Let’s see who has taken it to heart and upgraded their security? We are only retesting those sites that scored an F rating which were:
and also those who scored a B rating which were
Maybank now becomes one of the top ranking banking websites in Malaysia and in some cases in case of RC4 support and Session resumption, is even better than CIMBClicks. It is reassuring to see the speed in which this was resolved. It even supports TLS1.1 and 1.2 now!
There were quite a few people who complained that we were paid to do a smear campaign on Maybank but this is far from the truth. Others expressed that Maybank2U required the SSL2.0 support for people who could not upgrade from IE6. We responded to say that IE6.0 with service packs installed did indeed have SSL3.0 support and that insecure protocols should not be tolerated lest it give the false sense of security to users. We have been validated by Maybank fixing these issues on their site within 2 days.
I was a bit concerned when running this test as I worried that the Maybank2E system which appears to be based on older programming would still retain the vulnerabilities to maintain compatibility. However these fears were unfounded and it scored a solid Grade A rating.
There are slight differences which netted it lower scores than Maybank2u due to its lack of support of TLS 1.1 and 1.2, RC4 support and lack of secure renegotiation. These problems are not critical by themselves though it would be nice to see this implemented in the future.
Unfortunately Bank Simpanan Nasional, Affin Bank, Bank Muamalat remained at Grade F. AmOnline and Bank Rakyat maintained their B ratings. We remained unable to test RHB. Some people thought this meant that RHB had better security, but this is not necessarily so, it just means it could not be tested due to some error either with the test script or with the website itself.