UK Banks Receive Bad Cybersecurity Grades

A security firm has determined that over half of high-street banks and building societies in the UK still used outdated SSL security measures. This leaves the banks’ online customers vulnerable to even ‘low-skilled’ cyber criminals, the security firm points out.

UK security firm Xiphos has revealed its research figures that checked 22 retail banks in the UK. The findings make for interesting reading. 50 percent of UK-owned retail banks still use SSL, a low-encryption standard despite their vulnerabilities that have been known for years.

Also, 79 percent of 25 foreign-owned banks in the UK, as well as 51 percent of the UK’s top 37 building societies are also using outdated security encryption methods, as revealed by a Xiphos Research blog.

Even worse, in 12 of the 84 cases studied, the SSL standard used is rated with the worst possible grade – ‘F’. Or as Xiphos co-founder Mike Kemp calls it – “shockingly bad.”

The security firm has already alerted the National Crime Agency to make it aware of the problem.

In the blog, Mike Kemp stated:

As things stand, over 50 percent of banks and building societies in the UK have weak SSL implementations associated with their secure login functions. This research was conducted in November 2015. It is now January 2016 and we have attempted to reach out numerous times to numerous organisations.

Kemp also notes his bafflement with banks seemingly not caring about the findings despite reaching out directly to the banks.

“The impacted parties don’t seem to care. We have attempted to contact a number of the affected banks and building societies and have yet to be contacted by anyone other than first-line customer services staff,” he claimed, before adding: “We have however passed details of our findings and the organizations they impact upon to the NCA.”

Kemp and Xiphos are taking a measured stance after the research while stating that they will not be naming the banks using basic SSL measures. At least until Xiphos has “confirmation from third parties that they are mitigating the risks.”

The research into examining SSL certificates associated with secure login functions involving various banks involved the submitting of associated URLs to an independent SSL auditing service anonymously.

“It should be noted that no invasive testing was performed to obtain the results of this research, and that no additional actions other than enumeration of weaknesses within certificate instances were engaged in,” the blog added.

Image credit: Wikimedia.