365online.com using outdated and insecure encryption cyphers

jgorres

Hi,

The BOI SPAM email encouraging customers to install an app on their smartphone reminded me of another thing in respect of the BOI online banking system (http://www.365online.com):

Using the command "sslscan" the following is returned:

sslscan www.365online.com | grep -i ACCEPTED
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5

The webserver offering the service for online banking is offering encryption using the RC4-cipher. This method of encryption is deemed insecure and does not guarantee data security and integrity anymore.

The average user is certainly not capable to "force" his browser to use only the secure encryption cyphers.

I already reported this on 12.11.2013 (i.e. nearly a year ago) to BOI and received the follwoing reply:

'We are not at liberty to discuss in detail any security aspects of 365Online. We can however state that we are constantly reviewing our security standards based on emerging threats and that the solution itself is independently audited and Penetration tested on an ongoing basis'

Therefore the following questions:

• Why is BOI using the insecure RC4 encryption cyphers?
• Why has there been no change on the BOI online banking system ensuring that BOI customers can safely bank online, although BOI knows about the deficiencies of encryption cyphers, their server uses?
• Why is BOI nevertheless encouraging their customers to use this insecure system by promoting the app for smartphones?
  

[*]

Kind regards,
Jörn

jgorres

Hi,

There is no reaction from BOI on the board here regarding my request.

Does that mean that BOI is constantly ignoring security problems?

Kind regards,
Jörn.

Bank of Ireland: Billy

jgorres wrote: »

Hi,

There is no reaction from BOI on the board here regarding my request.

Does that mean that BOI is constantly ignoring security problems?

Kind regards,
Jörn.

Hi Jörn,
 
Thanks for contacting us on Boards and apologies for the delay in coming back to you.
 
Our Technical Team have reiterated the response we previously provided and assured us that our security standards are independently tested.
 
In terms of browsers, we would recommend the supported browser versions in our Security Page here
 
Thanks
 
Billy

jgorres

Hi Billy,

Bank of Ireland: Billy wrote: »

jgorres wrote: »

Hi,

There is no reaction from BOI on the board here regarding my request.

Does that mean that BOI is constantly ignoring security problems?

Kind regards,
Jörn.

Hi Jörn,
 
Thanks for contacting us on Boards and apologies for the delay in coming back to you.
 
Our Technical Team have reiterated the response we previously provided and assured us that our security standards are independently tested.
 
In terms of browsers, we would recommend the supported browser versions in our Security Page here
 
Thanks
 
Billy

The security of BOI online service is not up to date. The encryption cyphers used are deemed insecure for about 1 1/2 year now.

Even if your technical team repeats the response which is one year old it does not fix the unsecure means BOI online is using for its services. In fact, a lot of vehicles are independently tested and fail their NCT ;-)

And finally - it is not a browser (client) issue, the problem is on the server side at BOI. If the server offers a ****ty encryption method the browser cannot fix it. You are taking BOI online customers at risk.

Regards,
Jörn

Red Alert

To put the above in perspective for some less technical posters, an encryption cipher is like a key. If your communication uses an older, or lower strength cipher, it's like the key you would have on an internal door in the house: easy to break and copy. If, on the other hand, your communication is protected by a stronger cipher, it's like the key you hopefully have for your front door: harder and takes longer to copy. BOI it would appear are not requiring that your browser supports the stronger keys now available today.

This is something that cannot be fixed on the client side, so the suggestion to look at a supported browser list is misleading and useless. Your IT colleagues need to face up to this issue and stop hiding. Customer data could be at risk.

jgorres

Hi Red Alert,

Thank you for the picture you are using to express the technical setup.

Maybe BOI are still even using padlocks on their safes as well - never change a running system.

On top of that they are encouraging customers to use an app on their "smart" phones.

What makes me upset is that it needs just the deletion of 4 lines in the configuration files and a restart of the web server to get rid of the RC4 encryption cyphers.

Jörn
--
For security reasons this message was encrypted twice using the ROT13 encryption cypher.