Belgian banks & SSL — part 4

Because of the mediastorm it’s time for an update. The previous (1, 2, 3) blog posts are outdated!

I’ll do my usual slashdot-effect post in a couple of days (it’s already at 10k views today).

Banks that changed rank since last post (all for the better):

  • 16/02/2015:
    • Keytrade: B to A
    • Hello Bank!: C to A
    • ING: F to A-
    • Record Bank: F to A-
  • 17/02/2015:
    • ABK: F to B
    • Bank Van Breda: C to B
  • 18/02/2015:
    • MeDirect: F to A
    • Added 6 new (small) banks
  • 27/02/2015
    • Ogone: C to A-
  • 02/03/2015
    • Fortuneo: C to B
  • 03/03/2015
    • Crelan: B to A

I cannot test Europabank using SSL Labs. I can only speculate they requested SSL Labs to not scan them. I have also added a couple new banks (Delta Lloyd, Deutsche Bank, Moneyou, Fortuneo, BKCP, Binck, and Isabel as bank tool).

I would like to apologise for every IT’er that had a crappy Monday morning, and thank you for fixing SSL so fast. 🙂

The entire list updated (last partial update 18/02/2015 around 20h00):

I’ve updated the sites to now correctly test the login page and not the main homepage. If that’s not the case somewhere, please tell me.

Grade A

Grade B

  • Argenta: SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • ABK: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
  • AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
  • Bank Van Breda: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
  • beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • BKCP: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy. [newsletter]
  • CPH: no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • DHB Bank: weak signature (SHA1), RC4 (insecure).
  • Fortuneo: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • NIBC Direct: weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • VDK: SSL3 (insecure),no TLS 1.2, weak signature (SHA1), RC4 (insecure), no Forward Secrecy

Grade C

  • PSA Bank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.

Grade D

  • n/a

Grade E

  • n/a

Grade F

  • Optima Bank: vulnerable to POODLE attack in SSL3 and TLS format, weak signature (SHA1), RC4, no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

Respect to those that send a mailing list to their customers with more detailed information. Communication++

Respect to Rabobank to be the only bank that directly contacted me (officially, not hiding behind a Gmail or Hotmail address) and thanked me for the work I did, asking for more details, etc.

And thank you for an anonymous person, working for one of the big banks, to give me more details about why they are slow at patching this, how legacy works, etc. I wish he could take this discussion public, but alas.


Posted by

in

, , , ,

Comments

40 responses to “Belgian banks & SSL — part 4”

  1. […] EDIT: ING is now A- (not reflected in this blog post). EDIT 2: Keytrade & Hello Bank also went to A. I’ll update this blog post later tonight. EDIT 3: Updated post here. […]

  2. Jd avatar
    Jd

    Il y a encore une banque qui manque

      1. Jd avatar
        Jd

        Bkcpbanque.be

        1. Yeri Tiete avatar

          J’ai mis a jour
          => BKCP => B => weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.

  3. remi avatar
    remi

    Bonjour Yeri, pour EuropaBank il te suffit de savoir utiliser OpenSSL pour découvrir _par toi-même_ tout ce que SSL Labs de Qualys rapporte.

    J’imagine qu’en tant que grand Hacker securité (comme te dépeint la presse, hahaha, oups pardon) cela ne te sera pas compliqué de découvrir les paramètres nécéssaires à la commande # openssl pour ce faire (man openssl).

    Si tu as besoin d’aide n’hésites pas à demander ici 😉

    1. Yeri Tiete avatar

      Feel free to post it. 🙂 but alternatives are here: https://github.com/ssllabs/research/wiki/Assessment-Tools

  4. remi avatar
    remi

    Je ne peux pas tout faire, ma maman m’appelle pour faire dodo 🙁 Mais voici déjà quelques exemples :

    # openssl s_client -connect http://www.ebonline.be:443
    => Chriffrement RC4 (“Cipher : RC4-MD5”)
    => Tu copy/paste le certificat dans fichier ‘x’ (partie entre —–BEGIN CERTIFICATE—– & —–END CERTIFICATE—–), puis : openssl x509 -in x -noout -text : SHA-1 (Signature Algorithm: sha1WithRSAEncryption)
    # openssl s_client -connect http://www.ebonline.be:443 -ssl3
    => SSLv3 supporté (Protocol : SSLv3)

    On est donc déjà en grade B (RC4 + SHA1 + SSLv3), pour le reste (i.e. POODLE, BEAST, …) je te laisse faire ou alors tu attends demain après que j’ai mangé mes Coco Pops 😉

    1. Yeri Tiete avatar

      Top! et oui c’est poodle vuln.

    2. Cedric avatar
      Cedric

      Et comment évalues-tu si il y a une mitigation effectuée ?

  5. Matthias avatar
    Matthias

    Evi (part of Van Lanschot) gets A+:
    https://www.ssllabs.com/ssltest/analyze.html?d=secure.evi.be

  6. stefaan Roegiers avatar
    stefaan Roegiers

    Binck Bank belgique : A (only minor issue with SHA1):

    https://www.ssllabs.com/ssltest/analyze.html?d=binck.be

    1. Yeri Tiete avatar

      Thanks — updated! (and using their login page instead of homepage: https://www.ssllabs.com/ssltest/analyze.html?d=login.binck.be&hideResults=on)

  7. Michel Joossens avatar
    Michel Joossens

    Beste Yeri,
    Bank Van Breda en ABK hebben maandag ochtend de nodige maatregelen genomen waardoor deze een B-quotering hebben gekregen.

    1. Yeri Tiete avatar

      Super — ik werk mijn lijstje bij!

      1. Matthias avatar
        Matthias

        Ik heb via spaargids.be nog enkele banken gevonden die nog niet op het lijstje stonden:
        – Optima Bank (F)
        – PSA Bank (C) + inconsistent server config (?)
        – DHB Bank (B)
        – NIBC Direct (B)
        – Fintro (A-)
        – Banca Monte Paschi Belgio (A)

        Links:
        https://www.ssllabs.com/ssltest/analyze.html?d=ebanking.nibcdirect.be
        https://www.ssllabs.com/ssltest/analyze.html?d=optimaonline.optimabank.be
        https://www.ssllabs.com/ssltest/analyze.html?d=www.montepaschi.be
        https://www.ssllabs.com/ssltest/analyze.html?d=netbanking.dhbbank.com&latest
        https://www.ssllabs.com/ssltest/analyze.html?d=www.fintro.be
        https://www.ssllabs.com/ssltest/analyze.html?d=www.psabank.be

        Sommige van deze banken hebben er de laatste dagen waarschijnlijk van geprofiteerd om hun score te verbeteren. Voor zover ik zie is er geen mogelijkheid bij SSL Labs om historische scans op te zoeken?

        Geen idee of Optima Bank dit nog gaat oplossen, aangezien ze van plan zijn ermee te stoppen:
        http://www.tijd.be/nieuws/ondernemingen_financien/Optima_zet_punt_achter_bankactiviteiten.9540310-3095.art?ckc=1

        1. Yeri Tiete avatar

          Nee — geen mogelijkheid om historische gegevens na te gaan (en kans ook klein dat ze uberhaupt getest geweest zijn).

          Ik zal ze toevoegen. Merci.

    1. Michel Joossens avatar
      Michel Joossens

      De geplande onbeschikbaarheid heeft niets te maken met berichtgeving over SSL. Volgend weekend leggen we de basis voor een nieuwe toepassing met o.a. real-time betalingsverkeer, een tablet- en smartphone versie, moderne look en feel enz. Dit past binnen een project waaraan al meer dan een jaar wordt gewerkt.

  8. John avatar
    John

    In een mail laat MeDirect weten dat ze na een update die ze vannacht hebben uitgevoerd van F naar A zijn gegaan.

    1. Yeri Tiete avatar

      Super, ik pas het aan.

      1. John avatar
        John

        Kleine opmerking: MeDirect ging van F naar A, niet van B naar A zoals in je update staat.

        Btw, zou je die link uit mijn vorige post willen verwijderen a.u.b.? (privacy issue)

        1. Yeri Tiete avatar

          Ik pas beide aan. 🙂 Kan je je eigen comment niet aanpassen?

  9. totor avatar
    totor

    Hi Yeri, thanks for your posts and for the press coverage, I think that Belgium will be one of the first countries to be freed from XP + IE6 so quickly 🙂 IT departments of the banks congratulates you (and for sure do not hate you as you seem to think all the time). It is not always easy to convince the marketing departments that we have to secure our infras with the downside that we might lose customers (temporarily).
    Even if you’re not a security expert as the press is stating, you should continue doing the same for other security or IT aspects (CSP, IPv6, …), you seem to be listened by the press now and thus by marketing.

    1. Yeri Tiete avatar

      Hehe, thanks.
      In my very first post (https://yeri.be/belgian-banks-ssl — all the way at the bottom) I checked for IPv6 DNS records. But it’s not “security”, so it won’t have the same effect. 😉

    2. Cedric avatar
      Cedric

      Imho, you didn’t understand how security brings value to a business. You only understood how security needs to be covered technically.

      You’re basically missing a set of knowledge you should acquire (and I’m an IT operations guy !) to perform well in these areas. You don’t have to lose customers (even temporarily). Just learn that reputation is an higher risk than technical attack.

      Tbh, I’m more in favor of blaming all the banks because SSLv3 was still supported while it should have been decom’ a while ago.

  10. Ndp avatar
    Ndp

    Hello;
    Please notice that situation for AXA has changed: AXA Bank (axabank.be): Grade A
    (AXA.be is the insurance part today)

    1. Yeri Tiete avatar

      You are right. I’ll use “http://www.fe.axa.be” that links to their Homebank/login. However, it still shows “B” here. Axabank is indeed A+ — but it’s clearly running on another server/proxy than their Homebank.

  11. Lander avatar
    Lander

    Ingenico payment services (Ogone) is no longer grade c but A- 😉

    1. Yeri Tiete avatar

      Great — I’ll update it. 🙂

  12. arnaud avatar
    arnaud

    Hi Yeri,

    Interesting finding : keytradebank.com became A+ yesterday but it is still using a SHA-1 certificate in its certificate chain. The only thing which changed is that the keychain sent by keytrade does not contain the root CA but just the intermediate CA. However the root CA provided by the trusted store of Qualys is well SHA-1. Seems to be a bug in the Qualys report ?

    Another interesting post you could write on your blog regarding the security of the bank concerns the phishing and associated counter-measures (SPF/DKIM/DMARC). You’ll discover interesting things as well.

    Cheers, A.

    1. Yeri Tiete avatar

      SHA1 doesn’t get punished yet, I believe. They have until end of 2015 (I think) to fix it.

      Keytrade’s own certif is correctly using SHA2, it’s the CA record which has a lower bitrate => “Don’t worry if the root certificate uses SHA1; signatures on roots are not used (and Chrome won’t warn about them).” (https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know)

      About mail security, I found almost no one is (properly) using it, so I’m guessing none of the banks have the rights records set up. 🙂

  13. arnaud avatar
    arnaud

    * ING: SPF record OK (-all) ; DMARC record OK (reject 100%) ;
    * Rabobank : SPF record POK (~all) ; DMARC record NOK (NX) ;
    * Triodos : SPF record OK (-all) ; DMARC record NOK (NX) ;
    * BNP Paribas Fortis : SPF record POK (~all) ; DMARC record NOK (NX) ;
    * Keytrade Bank : SPF record OK (-all) ; DMARC record OK (reject 100%) ;
    * Belfius : SPF record OK (-all) ; DMARC POK (none 0%) ;
    * Argenta : SPF record POK (~all) ; DMARC POK (none 100%) ;
    …etc.

    So several banks are doing something but not as good as ING & Keytrade.
    Note that for DKIM you’ll need to receive an email from the bank in order to check it.
    There is no easy way to find out except if you know in advance which selector (s=) they’re using.

    Regards,
    A.

    1. Yeri Tiete avatar

      You should create a dedicated page/blog for this!

  14. […] end of year update. No big SSL exploits have been released since (bar DH, see […]

  15. David avatar
    David

    Argenta updated their website recently. It seems much better.

Leave a Reply to totorCancel reply