Skip to content ↓ | Skip to navigation ↓

A new study found that half of UK’s financial institutions, including high-street banks, use insecure SSL certificates on their online banking portals.

The report by information security firm Xiphos Research examined the websites – particularly, the secure customer login components – of 22 UK-owned retail banks, as well as those of financial institutions associated with foreign companies operating at a high-street level within the UK.

“The UK finance industry is one of the largest in the world, and so the logic follows should be one of the most robust from a security perspective,” said Mike Kemp, co-founder of Xiphos Research, in a blog post.

“Sadly, our findings seem to contradict this,” he added.

Researchers found that of the 22 British-owned financial institutions examined, half (50 percent) were observed to have insecure Secure Socket Layer (SSL) instances. Furthermore, of the 25 foreign-owned retail banks operating in the UK, 79 percent were found to have insecure SSL instances.

Additionally, the report found that 51 percent of the UK’s top 37 building societies also have insecure instances.

Of the 84 SSL instances included as part of its research, the firm noted 12 of them (14 percent) were rated an ‘F’ – the worst possible score they could have.

“It was our expectation that the majority would be secure. After all, finance is a risk-averse sector,” said Kemp, who calls the results “shockingly bad.”

To make matters worse, a number of the authentication URLs tested appeared to be vulnerable to well-known crypto flaws, such as the POODLE vulnerability uncovered by Google’s security team in October 2014.

Furthermore, some SLL instances were found operating using version 3 of the SSL protocol, which was officially deprecated as of December 2014.

Kemp notes the research team has attempted to reach out to affected banks and financial institutions, though this process “has not been an easy task to accomplish,” he adds.

Details of the findings were ultimately presented to the UK’s National Crime Agency (NCA) on Dec. 18.

Endpoint Detection & Response For Dummies
  • unixist

    The title of the article is a bit misleading. Although the SSL attacks left unaddressed by many of the banks are old, their exploitation require a privileged position on the network.

    So while the particular execution phase that targets the SSL vulns may be simple, calling the attack “low-skilled” seems to miss the boat.