Belgian banks & SSL — part 4

Because of the mediastorm it’s time for an update. The previous (1, 2, 3) blog posts are outdated!

I’ll do my usual slashdot-effect post in a couple of days (it’s already at 10k views today).

Banks that changed rank since last post (all for the better):

  • 16/02/2015:
    • Keytrade: B to A
    • Hello Bank!: C to A
    • ING: F to A-
    • Record Bank: F to A-
  • 17/02/2015:
    • ABK: F to B
    • Bank Van Breda: C to B
  • 18/02/2015:
    • MeDirect: F to A
    • Added 6 new (small) banks
  • 27/02/2015
    • Ogone: C to A-
  • 02/03/2015
    • Fortuneo: C to B
  • 03/03/2015
    • Crelan: B to A

I cannot test Europabank using SSL Labs. I can only speculate they requested SSL Labs to not scan them. I have also added a couple new banks (Delta Lloyd, Deutsche Bank, Moneyou, Fortuneo, BKCP, Binck, and Isabel as bank tool).

I would like to apologise for every IT’er that had a crappy Monday morning, and thank you for fixing SSL so fast. 🙂

The entire list updated (last partial update 18/02/2015 around 20h00):

I’ve updated the sites to now correctly test the login page and not the main homepage. If that’s not the case somewhere, please tell me.

Grade A

Grade B

  • Argenta: SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • ABK: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
  • AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
  • Bank Van Breda: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
  • beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • BKCP: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy. [newsletter]
  • CPH: no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • DHB Bank: weak signature (SHA1), RC4 (insecure).
  • Fortuneo: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • NIBC Direct: weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • VDK: SSL3 (insecure),no TLS 1.2, weak signature (SHA1), RC4 (insecure), no Forward Secrecy

Grade C

  • PSA Bank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.

Grade D

  • n/a

Grade E

  • n/a

Grade F

  • Optima Bank: vulnerable to POODLE attack in SSL3 and TLS format, weak signature (SHA1), RC4, no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

Respect to those that send a mailing list to their customers with more detailed information. Communication++

Respect to Rabobank to be the only bank that directly contacted me (officially, not hiding behind a Gmail or Hotmail address) and thanked me for the work I did, asking for more details, etc.

And thank you for an anonymous person, working for one of the big banks, to give me more details about why they are slow at patching this, how legacy works, etc. I wish he could take this discussion public, but alas.

40 comments

  1. […] EDIT: ING is now A- (not reflected in this blog post). EDIT 2: Keytrade & Hello Bank also went to A. I’ll update this blog post later tonight. EDIT 3: Updated post here. […]

  2. Jd says:

    Il y a encore une banque qui manque

  3. remi says:

    Bonjour Yeri, pour EuropaBank il te suffit de savoir utiliser OpenSSL pour découvrir _par toi-même_ tout ce que SSL Labs de Qualys rapporte.

    J’imagine qu’en tant que grand Hacker securité (comme te dépeint la presse, hahaha, oups pardon) cela ne te sera pas compliqué de découvrir les paramètres nécéssaires à la commande # openssl pour ce faire (man openssl).

    Si tu as besoin d’aide n’hésites pas à demander ici 😉

  4. remi says:

    Je ne peux pas tout faire, ma maman m’appelle pour faire dodo 🙁 Mais voici déjà quelques exemples :

    # openssl s_client -connect http://www.ebonline.be:443
    => Chriffrement RC4 (“Cipher : RC4-MD5”)
    => Tu copy/paste le certificat dans fichier ‘x’ (partie entre —–BEGIN CERTIFICATE—– & —–END CERTIFICATE—–), puis : openssl x509 -in x -noout -text : SHA-1 (Signature Algorithm: sha1WithRSAEncryption)
    # openssl s_client -connect http://www.ebonline.be:443 -ssl3
    => SSLv3 supporté (Protocol : SSLv3)

    On est donc déjà en grade B (RC4 + SHA1 + SSLv3), pour le reste (i.e. POODLE, BEAST, …) je te laisse faire ou alors tu attends demain après que j’ai mangé mes Coco Pops 😉

  5. stefaan Roegiers says:

    Binck Bank belgique : A (only minor issue with SHA1):

    https://www.ssllabs.com/ssltest/analyze.html?d=binck.be

  6. Michel Joossens says:

    Beste Yeri,
    Bank Van Breda en ABK hebben maandag ochtend de nodige maatregelen genomen waardoor deze een B-quotering hebben gekregen.

    • Michel Joossens says:

      De geplande onbeschikbaarheid heeft niets te maken met berichtgeving over SSL. Volgend weekend leggen we de basis voor een nieuwe toepassing met o.a. real-time betalingsverkeer, een tablet- en smartphone versie, moderne look en feel enz. Dit past binnen een project waaraan al meer dan een jaar wordt gewerkt.

  7. John says:

    In een mail laat MeDirect weten dat ze na een update die ze vannacht hebben uitgevoerd van F naar A zijn gegaan.

  8. totor says:

    Hi Yeri, thanks for your posts and for the press coverage, I think that Belgium will be one of the first countries to be freed from XP + IE6 so quickly 🙂 IT departments of the banks congratulates you (and for sure do not hate you as you seem to think all the time). It is not always easy to convince the marketing departments that we have to secure our infras with the downside that we might lose customers (temporarily).
    Even if you’re not a security expert as the press is stating, you should continue doing the same for other security or IT aspects (CSP, IPv6, …), you seem to be listened by the press now and thus by marketing.

    • Yeri Tiete says:

      Hehe, thanks.
      In my very first post (https://yeri.be/belgian-banks-ssl — all the way at the bottom) I checked for IPv6 DNS records. But it’s not “security”, so it won’t have the same effect. 😉

    • Cedric says:

      Imho, you didn’t understand how security brings value to a business. You only understood how security needs to be covered technically.

      You’re basically missing a set of knowledge you should acquire (and I’m an IT operations guy !) to perform well in these areas. You don’t have to lose customers (even temporarily). Just learn that reputation is an higher risk than technical attack.

      Tbh, I’m more in favor of blaming all the banks because SSLv3 was still supported while it should have been decom’ a while ago.

  9. Ndp says:

    Hello;
    Please notice that situation for AXA has changed: AXA Bank (axabank.be): Grade A
    (AXA.be is the insurance part today)

  10. Lander says:

    Ingenico payment services (Ogone) is no longer grade c but A- 😉

  11. arnaud says:

    Hi Yeri,

    Interesting finding : keytradebank.com became A+ yesterday but it is still using a SHA-1 certificate in its certificate chain. The only thing which changed is that the keychain sent by keytrade does not contain the root CA but just the intermediate CA. However the root CA provided by the trusted store of Qualys is well SHA-1. Seems to be a bug in the Qualys report ?

    Another interesting post you could write on your blog regarding the security of the bank concerns the phishing and associated counter-measures (SPF/DKIM/DMARC). You’ll discover interesting things as well.

    Cheers, A.

  12. arnaud says:

    * ING: SPF record OK (-all) ; DMARC record OK (reject 100%) ;
    * Rabobank : SPF record POK (~all) ; DMARC record NOK (NX) ;
    * Triodos : SPF record OK (-all) ; DMARC record NOK (NX) ;
    * BNP Paribas Fortis : SPF record POK (~all) ; DMARC record NOK (NX) ;
    * Keytrade Bank : SPF record OK (-all) ; DMARC record OK (reject 100%) ;
    * Belfius : SPF record OK (-all) ; DMARC POK (none 0%) ;
    * Argenta : SPF record POK (~all) ; DMARC POK (none 100%) ;
    …etc.

    So several banks are doing something but not as good as ING & Keytrade.
    Note that for DKIM you’ll need to receive an email from the bank in order to check it.
    There is no easy way to find out except if you know in advance which selector (s=) they’re using.

    Regards,
    A.

  13. […] end of year update. No big SSL exploits have been released since (bar DH, see […]

  14. David says:

    Argenta updated their website recently. It seems much better.

Leave a Reply...