Home Security SSL Security In European Banking

SSL Security In European Banking

Author

Date

Category

Moved by recent security issues regarding SSL and certificates, I wanted to study the state of the SSL security in the European online banking system.


Hi I’m Paul, Codacy’s most recent hire.
I don’t understand a lot about HTTPS servers, but when my colleagues showed me the HTTPS grading report of one of the largest portuguese bank; I knew it was bad and wanted to get a bigger picture of the banking sector.

To do so, I looked at the top 41 biggest european banks in term of assets (provided by Relbanks) and used the website SSLLABS to do a SSL analysis of their e-banking URL (if available).

The grade is calculated using SSLLabs own rate system which takes into account several analysis.

Here is a short overview by country and grade:

CountryA+AA-BFCountAustria010001Belgium001102Denmark000101France001225Germany114219Ireland000101Italy002013Netherlands003003Norway000101Russia001001Spain001203Sweden002204Switzerland001102UK002305Total121816441%2.4%4.9%43.9%39.0%9.8%
And here is the complete list of results:

RankBankCountryWebsiteOverall Grade1HSBC HoldingsUKhttps://www.hsbc.co.ukB2Credit Agricole GroupFrancehttps://www.ca-paris.fr/B3BNP ParibasFrancehttps://www.secure.bnpparibas.netA-4Deutsche BankGermanyhttps://meine.deutsche-bank.de/B5BarclaysUKhttps://bank.barclays.co.uk/A-6Royal Bank of Scotland GroupUKhttps://www.rbsdigital.comB7Societe GeneraleFrancehttps://particuliers.societegenerale.fr/F8Banco SantanderSpainhttps://particulares.gruposantander.esB9Groupe BPCEFrancehttps://www.bred.fr/F10ING GroupNetherlandshttps://mijn.ing.nl/A-11Lloyds Banking GroupUKhttps://online.lloydsbank.co.ukB12UBS AGSwitzerlandhttps://ebanking-ch2.ubs.comB13UniCredit S.p.A.Italyhttps://online-private.unicredit.it/A-14Credit Suisse GroupSwitzerlandhttps://cs.directnet.com/A-15Rabobank GroupNetherlandshttps://bankieren.rabobank.nl/A-16Intesa SanpaoloItalyhttps://www.intesasanpaolo.com/A-17Nordea BankSwedenhttps://internetbanken.privat.nordea.seB18BBVASpainhttps://www.bbva.esB19CommerzbankGermanyhttps://www.commerzbank.deA20Standard CharteredUKhttps://s2b.standardchartered.comA-21KfW BankengruppeGermanyhttps://onlinekreditportal.kfw.deA-22Danske Bank A/SDenmarkhttp://www.danskebank.dk/B23DZ Bank GroupGermanyhttps://www.dzbank.com/A-24ABN AMRONetherlandshttps://www.abnamro.nl/A-25Banque Federative du Credit Mutuel (BFCM)Francehttps://www.creditmutuel.frB26SberbankRussiahttps://online.sberbank.ru/A-27Landesbank Baden-Wurttemberg (LBBW)Germanyhttps://banking.bw-bank.de/A+28DNB Group (DNB ASA)Norwayhttps://www.dnb.no/enB29Skandinaviska Enskilda BankenSwedenhttps://swp2.vv.sebank.seA-30Svenska HandelsbankenSwedenhttps://secure.handelsbanken.seB31Bayerische LandesbankGermanyhttp://www.bayernlb.de/B32KBC Group NVBelgiumhttps://www.kbc.be/B33Dexia SABelgiumhttps://directnet.dexia.beA-34SwedbankSwedenhttps://internetbank.swedbank.se/A-35Erste Group Bank AGAustriahttps://netbanking.sparkasse.atA36Banca Monte dei Paschi di SienaItalyhttps://hb.mps.itF37Norddeutsche Landesbank (Nord/LB)Germanyhttps://banking.blsk.de/A-38Deutsche Postbank AGGermanyhttps://banking.postbank.deA-39Landesbank Hessen Thueringen GirozentraleGermanyhttps://www.e-banking.helaba.de/F40Banco Popular Espanol SASpainhttps://www2.bancopopular.esA-41Bank of IrelandIrelandhttps://www.365online.comB

The only bank that achieved the highest grade possible (A+) is the Landesbank Baden-Wurttemberg (LBBW). The worst bank is the Banca Monte dei Paschi di Siena.
But overall 4 banks out of 41 failed the SSL security check: Societe Générale, Groupe BPCE, Banca Monte dei Paschi di Siena and Landesbank Hessen Thueringen. Two of them are in the top 10 of the biggest european banks!
One noteworthy information, though is that all the banks seem to be protected against the Heartbleed attack.

Lets take a deeper look at these 4 problematic banks:

  • Societe Générale:
  • Only supports TLS version 1.0
  • No secure renegotiation is supported → vulnerable to Man-in-the-Middle attacks
  • Insecure Client-Initiated Renegotiation is supported
  • No Forward Secrecy
  • Groupe BPCE:
  • Only supports TLS 1.0 version
  • No secure renegotiation is supported → vulnerable to Man-in-the-Middle attacks
  • Insecure Client-Initiated Renegotiation is supported
  • Forward Secrecy only supported for some browsers
  • Landesbank Hessen Thueringen Girozentrale:
  • Still supports SSL 2 and only supports TLS 1.0 version
  • Insecure Cipher Suites
  • SSLCKDES192EDE3CBCWITHMD5 (0x700c0)
  • SSLCKRC4128WITHMD5 (0x10080)
  • No Forward Secrecy
  • Banca Monte dei Paschi di Siena:
  • Still supports SSL 2 and only supports TLS 1.0 version
  • Insecure Cipher Suites
  • SSLCKRC2128CBCEXPORT40WITHMD5 (0x40080)
  • SSLCKRC4128EXPORT40WITHMD5 (0x20080)
  • SSLCKDES64CBCWITHMD5 (0x60040)
  • SSLCKRC2128CBCWITHMD5 (0x30080)
  • SSLCKDES192EDE3CBCWITHMD5 (0x700c0)
  • SSLCKRC4128WITH_MD5 (0x10080)
  • No Forward Secrecy

As you can see some results are really scary. My bank is also affected by a security issue.

The more problematic bank appear to have in common: Outdated protocols, ciphers that are known to be broken and no forward secrecy. Most banks might be using older protocols and vulnerable cipher suites because they are forced to, since their clients use outdated browsers and operating systems, they just need to maintain the compatibility for such clients. Still, there may be little reasoning for them to keep their weak and outdated cipher suites. Offering more recent and secure ciphers could be initiated by them.

As explained in SSLLABS’ SSL Server Rating Guide, having an A does not guarantee that a server is completely secure nor that if you don’t have an A you’re a fool.

Before the analysis, I was expecting a more clear separation of results by geography respectively by economic development. But after checking some portuguese banks and regional branches of bigger european groups (Santander, BBVA) I saw that the number of banks failing this test was increasing. My fear is that smaller national banks could be seriously affected by SSL security issues.

SSL security issues are just the tip of the iceberg. Banking software applications are usually millions of lines long and with years of heaped legacy software development.

Hope you found this information interesting and eye opening.


Edit: We just published an ebook: “The Ultimate Guide to Code Review” based on a survey of 680+ developers. Enjoy!


About Codacy

Codacy is used by thousands of developers to analyze billions of lines of code every day!

Getting started is easy – and free! Just use your  GitHub, Bitbucket or Google account to sign up.

GET STARTED


DISCLAIMER: We only used publicly available informations from SSLLABS. We have no control over the accuracy of these informations.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Recent posts

Why we implemented Offline days at Codacy

Since the Coronavirus outbreak, like most people, we are facing a unique reality that is challenging us in many ways at the...

Pair programming at Codacy and why we do it

Pair programming, also known as pairing or “dynamic duo” model is not a new concept, and it was pioneered by C/C++ guru...

Enhanced security for C++, Java, and Scala with Clang-Tidy and SpotBugs

As part of our effort to continue expanding our language support, we are excited to announce the support of two new tools...

Improve the efficiency of your remote engineering team

COVID-19 hit the ground running and the world felt the impact. Although tech companies seemed to be ahead of the curve by...

Further Enterprise security analysis for Scala

We’re excited to announce the latest addition to our suite of security analysis: Spotbugs. SpotBugs is a program which...