Categories
Linux Misc Networking Software www

Belgian banks & SSL — part 4

Because of the mediastorm it’s time for an update. The previous (1, 2, 3) blog posts are outdated!

I’ll do my usual slashdot-effect post in a couple of days (it’s already at 10k views today).

Banks that changed rank since last post (all for the better):

  • 16/02/2015:
    • Keytrade: B to A
    • Hello Bank!: C to A
    • ING: F to A-
    • Record Bank: F to A-
  • 17/02/2015:
    • ABK: F to B
    • Bank Van Breda: C to B
  • 18/02/2015:
    • MeDirect: F to A
    • Added 6 new (small) banks
  • 27/02/2015
    • Ogone: C to A-
  • 02/03/2015
    • Fortuneo: C to B
  • 03/03/2015
    • Crelan: B to A

I cannot test Europabank using SSL Labs. I can only speculate they requested SSL Labs to not scan them. I have also added a couple new banks (Delta Lloyd, Deutsche Bank, Moneyou, Fortuneo, BKCP, Binck, and Isabel as bank tool).

I would like to apologise for every IT’er that had a crappy Monday morning, and thank you for fixing SSL so fast. 🙂

The entire list updated (last partial update 18/02/2015 around 20h00):

I’ve updated the sites to now correctly test the login page and not the main homepage. If that’s not the case somewhere, please tell me.

Grade A

Grade B

  • Argenta: SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • ABK: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
  • AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
  • Bank Van Breda: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
  • beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • BKCP: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy. [newsletter]
  • CPH: no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • DHB Bank: weak signature (SHA1), RC4 (insecure).
  • Fortuneo: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • NIBC Direct: weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • VDK: SSL3 (insecure),no TLS 1.2, weak signature (SHA1), RC4 (insecure), no Forward Secrecy

Grade C

  • PSA Bank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.

Grade D

  • n/a

Grade E

  • n/a

Grade F

  • Optima Bank: vulnerable to POODLE attack in SSL3 and TLS format, weak signature (SHA1), RC4, no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

Respect to those that send a mailing list to their customers with more detailed information. Communication++

Respect to Rabobank to be the only bank that directly contacted me (officially, not hiding behind a Gmail or Hotmail address) and thanked me for the work I did, asking for more details, etc.

And thank you for an anonymous person, working for one of the big banks, to give me more details about why they are slow at patching this, how legacy works, etc. I wish he could take this discussion public, but alas.

40 replies on “Belgian banks & SSL — part 4”

Bonjour Yeri, pour EuropaBank il te suffit de savoir utiliser OpenSSL pour découvrir _par toi-même_ tout ce que SSL Labs de Qualys rapporte.

J’imagine qu’en tant que grand Hacker securité (comme te dépeint la presse, hahaha, oups pardon) cela ne te sera pas compliqué de découvrir les paramètres nécéssaires à la commande # openssl pour ce faire (man openssl).

Si tu as besoin d’aide n’hésites pas à demander ici 😉

Je ne peux pas tout faire, ma maman m’appelle pour faire dodo 🙁 Mais voici déjà quelques exemples :

# openssl s_client -connect http://www.ebonline.be:443
=> Chriffrement RC4 (“Cipher : RC4-MD5”)
=> Tu copy/paste le certificat dans fichier ‘x’ (partie entre —–BEGIN CERTIFICATE—– & —–END CERTIFICATE—–), puis : openssl x509 -in x -noout -text : SHA-1 (Signature Algorithm: sha1WithRSAEncryption)
# openssl s_client -connect http://www.ebonline.be:443 -ssl3
=> SSLv3 supporté (Protocol : SSLv3)

On est donc déjà en grade B (RC4 + SHA1 + SSLv3), pour le reste (i.e. POODLE, BEAST, …) je te laisse faire ou alors tu attends demain après que j’ai mangé mes Coco Pops 😉

Beste Yeri,
Bank Van Breda en ABK hebben maandag ochtend de nodige maatregelen genomen waardoor deze een B-quotering hebben gekregen.

Ik heb via spaargids.be nog enkele banken gevonden die nog niet op het lijstje stonden:
– Optima Bank (F)
– PSA Bank (C) + inconsistent server config (?)
– DHB Bank (B)
– NIBC Direct (B)
– Fintro (A-)
– Banca Monte Paschi Belgio (A)

Links:
https://www.ssllabs.com/ssltest/analyze.html?d=ebanking.nibcdirect.be
https://www.ssllabs.com/ssltest/analyze.html?d=optimaonline.optimabank.be
https://www.ssllabs.com/ssltest/analyze.html?d=www.montepaschi.be
https://www.ssllabs.com/ssltest/analyze.html?d=netbanking.dhbbank.com&latest
https://www.ssllabs.com/ssltest/analyze.html?d=www.fintro.be
https://www.ssllabs.com/ssltest/analyze.html?d=www.psabank.be

Sommige van deze banken hebben er de laatste dagen waarschijnlijk van geprofiteerd om hun score te verbeteren. Voor zover ik zie is er geen mogelijkheid bij SSL Labs om historische scans op te zoeken?

Geen idee of Optima Bank dit nog gaat oplossen, aangezien ze van plan zijn ermee te stoppen:
http://www.tijd.be/nieuws/ondernemingen_financien/Optima_zet_punt_achter_bankactiviteiten.9540310-3095.art?ckc=1

De geplande onbeschikbaarheid heeft niets te maken met berichtgeving over SSL. Volgend weekend leggen we de basis voor een nieuwe toepassing met o.a. real-time betalingsverkeer, een tablet- en smartphone versie, moderne look en feel enz. Dit past binnen een project waaraan al meer dan een jaar wordt gewerkt.

Kleine opmerking: MeDirect ging van F naar A, niet van B naar A zoals in je update staat.

Btw, zou je die link uit mijn vorige post willen verwijderen a.u.b.? (privacy issue)

Hi Yeri, thanks for your posts and for the press coverage, I think that Belgium will be one of the first countries to be freed from XP + IE6 so quickly 🙂 IT departments of the banks congratulates you (and for sure do not hate you as you seem to think all the time). It is not always easy to convince the marketing departments that we have to secure our infras with the downside that we might lose customers (temporarily).
Even if you’re not a security expert as the press is stating, you should continue doing the same for other security or IT aspects (CSP, IPv6, …), you seem to be listened by the press now and thus by marketing.

Imho, you didn’t understand how security brings value to a business. You only understood how security needs to be covered technically.

You’re basically missing a set of knowledge you should acquire (and I’m an IT operations guy !) to perform well in these areas. You don’t have to lose customers (even temporarily). Just learn that reputation is an higher risk than technical attack.

Tbh, I’m more in favor of blaming all the banks because SSLv3 was still supported while it should have been decom’ a while ago.

Hi Yeri,

Interesting finding : keytradebank.com became A+ yesterday but it is still using a SHA-1 certificate in its certificate chain. The only thing which changed is that the keychain sent by keytrade does not contain the root CA but just the intermediate CA. However the root CA provided by the trusted store of Qualys is well SHA-1. Seems to be a bug in the Qualys report ?

Another interesting post you could write on your blog regarding the security of the bank concerns the phishing and associated counter-measures (SPF/DKIM/DMARC). You’ll discover interesting things as well.

Cheers, A.

SHA1 doesn’t get punished yet, I believe. They have until end of 2015 (I think) to fix it.

Keytrade’s own certif is correctly using SHA2, it’s the CA record which has a lower bitrate => “Don’t worry if the root certificate uses SHA1; signatures on roots are not used (and Chrome won’t warn about them).” (https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know)

About mail security, I found almost no one is (properly) using it, so I’m guessing none of the banks have the rights records set up. 🙂

* ING: SPF record OK (-all) ; DMARC record OK (reject 100%) ;
* Rabobank : SPF record POK (~all) ; DMARC record NOK (NX) ;
* Triodos : SPF record OK (-all) ; DMARC record NOK (NX) ;
* BNP Paribas Fortis : SPF record POK (~all) ; DMARC record NOK (NX) ;
* Keytrade Bank : SPF record OK (-all) ; DMARC record OK (reject 100%) ;
* Belfius : SPF record OK (-all) ; DMARC POK (none 0%) ;
* Argenta : SPF record POK (~all) ; DMARC POK (none 100%) ;
…etc.

So several banks are doing something but not as good as ING & Keytrade.
Note that for DKIM you’ll need to receive an email from the bank in order to check it.
There is no easy way to find out except if you know in advance which selector (s=) they’re using.

Regards,
A.

Leave a Reply to arnaud Cancel reply

%d bloggers like this: