SSL Security In European Banking

In this article:
Subscribe to our blog:

Moved by recent security issues regarding SSL and certificates, I wanted to study the state of the SSL security in the European online banking system.


Hi I’m Paul, Codacy’s most recent hire.
I don’t understand a lot about HTTPS servers, but when my colleagues showed me the HTTPS grading report of one of the largest portuguese bank; I knew it was bad and wanted to get a bigger picture of the banking sector.

To do so, I looked at the top 41 biggest european banks in term of assets (provided by Relbanks) and used the website SSLLABS to do a SSL analysis of their e-banking URL (if available).

The grade is calculated using SSLLabs own rate system which takes into account several analysis.

Here is a short overview by country and grade:

CountryA+AA-BFCountAustria010001Belgium001102Denmark000101France001225Germany114219Ireland000101Italy002013Netherlands003003Norway000101Russia001001Spain001203Sweden002204Switzerland001102UK002305Total121816441%2.4%4.9%43.9%39.0%9.8%
And here is the complete list of results:

RankBankCountryWebsiteOverall Grade1HSBC HoldingsUKhttps://www.hsbc.co.ukB2Credit Agricole GroupFrancehttps://www.ca-paris.fr/B3BNP ParibasFrancehttps://www.secure.bnpparibas.netA-4Deutsche BankGermanyhttps://meine.deutsche-bank.de/B5BarclaysUKhttps://bank.barclays.co.uk/A-6Royal Bank of Scotland GroupUKhttps://www.rbsdigital.comB7Societe GeneraleFrancehttps://particuliers.societegenerale.fr/F8Banco SantanderSpainhttps://particulares.gruposantander.esB9Groupe BPCEFrancehttps://www.bred.fr/F10ING GroupNetherlandshttps://mijn.ing.nl/A-11Lloyds Banking GroupUKhttps://online.lloydsbank.co.ukB12UBS AGSwitzerlandhttps://ebanking-ch2.ubs.comB13UniCredit S.p.A.Italyhttps://online-private.unicredit.it/A-14Credit Suisse GroupSwitzerlandhttps://cs.directnet.com/A-15Rabobank GroupNetherlandshttps://bankieren.rabobank.nl/A-16Intesa SanpaoloItalyhttps://www.intesasanpaolo.com/A-17Nordea BankSwedenhttps://internetbanken.privat.nordea.seB18BBVASpainhttps://www.bbva.esB19CommerzbankGermanyhttps://www.commerzbank.deA20Standard CharteredUKhttps://s2b.standardchartered.comA-21KfW BankengruppeGermanyhttps://onlinekreditportal.kfw.deA-22Danske Bank A/SDenmarkhttp://www.danskebank.dk/B23DZ Bank GroupGermanyhttps://www.dzbank.com/A-24ABN AMRONetherlandshttps://www.abnamro.nl/A-25Banque Federative du Credit Mutuel (BFCM)Francehttps://www.creditmutuel.frB26SberbankRussiahttps://online.sberbank.ru/A-27Landesbank Baden-Wurttemberg (LBBW)Germanyhttps://banking.bw-bank.de/A+28DNB Group (DNB ASA)Norwayhttps://www.dnb.no/enB29Skandinaviska Enskilda BankenSwedenhttps://swp2.vv.sebank.seA-30Svenska HandelsbankenSwedenhttps://secure.handelsbanken.seB31Bayerische LandesbankGermanyhttp://www.bayernlb.de/B32KBC Group NVBelgiumhttps://www.kbc.be/B33Dexia SABelgiumhttps://directnet.dexia.beA-34SwedbankSwedenhttps://internetbank.swedbank.se/A-35Erste Group Bank AGAustriahttps://netbanking.sparkasse.atA36Banca Monte dei Paschi di SienaItalyhttps://hb.mps.itF37Norddeutsche Landesbank (Nord/LB)Germanyhttps://banking.blsk.de/A-38Deutsche Postbank AGGermanyhttps://banking.postbank.deA-39Landesbank Hessen Thueringen GirozentraleGermanyhttps://www.e-banking.helaba.de/F40Banco Popular Espanol SASpainhttps://www2.bancopopular.esA-41Bank of IrelandIrelandhttps://www.365online.comB

The only bank that achieved the highest grade possible (A+) is the Landesbank Baden-Wurttemberg (LBBW). The worst bank is the Banca Monte dei Paschi di Siena.
But overall 4 banks out of 41 failed the SSL security check: Societe Générale, Groupe BPCE, Banca Monte dei Paschi di Siena and Landesbank Hessen Thueringen. Two of them are in the top 10 of the biggest european banks!
One noteworthy information, though is that all the banks seem to be protected against the Heartbleed attack.

Lets take a deeper look at these 4 problematic banks:

  • Societe Générale:
  • Only supports TLS version 1.0
  • No secure renegotiation is supported → vulnerable to Man-in-the-Middle attacks
  • Insecure Client-Initiated Renegotiation is supported
  • No Forward Secrecy
  • Groupe BPCE:
  • Only supports TLS 1.0 version
  • No secure renegotiation is supported → vulnerable to Man-in-the-Middle attacks
  • Insecure Client-Initiated Renegotiation is supported
  • Forward Secrecy only supported for some browsers
  • Landesbank Hessen Thueringen Girozentrale:
  • Still supports SSL 2 and only supports TLS 1.0 version
  • Insecure Cipher Suites
  • SSLCKDES192EDE3CBCWITHMD5 (0x700c0)
  • SSLCKRC4128WITHMD5 (0x10080)
  • No Forward Secrecy
  • Banca Monte dei Paschi di Siena:
  • Still supports SSL 2 and only supports TLS 1.0 version
  • Insecure Cipher Suites
  • SSLCKRC2128CBCEXPORT40WITHMD5 (0x40080)
  • SSLCKRC4128EXPORT40WITHMD5 (0x20080)
  • SSLCKDES64CBCWITHMD5 (0x60040)
  • SSLCKRC2128CBCWITHMD5 (0x30080)
  • SSLCKDES192EDE3CBCWITHMD5 (0x700c0)
  • SSLCKRC4128WITH_MD5 (0x10080)
  • No Forward Secrecy

As you can see some results are really scary. My bank is also affected by a security issue.

The more problematic bank appear to have in common: Outdated protocols, ciphers that are known to be broken and no forward secrecy. Most banks might be using older protocols and vulnerable cipher suites because they are forced to, since their clients use outdated browsers and operating systems, they just need to maintain the compatibility for such clients. Still, there may be little reasoning for them to keep their weak and outdated cipher suites. Offering more recent and secure ciphers could be initiated by them.

As explained in SSLLABS’ SSL Server Rating Guide, having an A does not guarantee that a server is completely secure nor that if you don’t have an A you’re a fool.

Before the analysis, I was expecting a more clear separation of results by geography respectively by economic development. But after checking some portuguese banks and regional branches of bigger european groups (Santander, BBVA) I saw that the number of banks failing this test was increasing. My fear is that smaller national banks could be seriously affected by SSL security issues.

SSL security issues are just the tip of the iceberg. Banking software applications are usually millions of lines long and with years of heaped legacy software development.

Hope you found this information interesting and eye opening.


Edit: We just published an ebook: “The Ultimate Guide to Code Review” based on a survey of 680+ developers. Enjoy!


About Codacy

Codacy is used by thousands of developers to analyze billions of lines of code every day!

Getting started is easy – and free! Just use your  GitHub, Bitbucket or Google account to sign up.

GET STARTED


DISCLAIMER: We only used publicly available informations from SSLLABS. We have no control over the accuracy of these informations.

RELATED
BLOG POSTS

Security alerts on your project
Just launched our security dashboard: a way for you to quickly view all the security alerts at once.
Codacy Security Now Includes Dynamic Application Security Testing (DAST)
We're thrilled to announce that Codacy Security now includes Dynamic Application Security Testing (DAST) capabilities!
Filtering Security Issues By Category in Codacy Security
While constantly adding new ways to check your code for security issues is incredibly important to us, being able to present that data to you...

Automate code
reviews on your commits and pull request

Group 13