According to new research by Edward Wall, a Swansea University computer science student, top financial institutions such as TSB, HSBC, Bank of Scotland, and Scottish Widows haven’t updated their websites to use the latest encryption standards for online banking security required by the financial services industry.
The results of the research carried out by Wall identified a total of 14 banks that allow people to access their websites with browsers using old and potentially insecure forms of encryption. Those institutions haven’t upgraded their websites to enforce the use of TLS (Transport Layer Security) cryptographic protocols, online banking security measures that are required by the latest standards as laid out by the banking industry’s Payment Card Industry Data Security Standard (PCI DSS).
Low Scores for UK Bank Encryption
Wall’s analysis gives each bank a score out of 100 for the technical security measures of its website, and while the scores don’t mean user data is exposed or the websites suffer any current security vulnerabilities, they highlight areas where online banking security best practices aren’t being followed.
Santander and Virgin Money score top marks with 53 out of 100, while Co-operative Bank and Smile were the worst performers with scores of just 12.
According to the PCI Standards Council, companies that accept card payments were required to use TLS 1.1 encryption by June 30, 2018. Banks that issue their own credit and debit cards aren’t required to obtain this validation, but they are expected to meet the same standards as older versions of these cryptographic protocols suffer security vulnerabilities from cyber attacks by malicious software (malware) like Heartbleed, POODLE, and BEAST, which can facilitate “man-in-the-middle” attacks where data is intercepted.
Biggest Offenders Identified
The 14 banks Wall’s research uncovered as not using the latest encryption protocols like TLS 1.1 are the Bank of Scotland, Barclays, TSB, Halifax, First Direct, Lloyds Bank, Nationwide Building Society, Tesco Bank, HSBC, M&S Bank, Scottish Widows, Sainsbury’s Bank, Yorkshire Building Society, Co-operative Bank and Smile.
While none of the online banking sites analysed by Wall suffer from any current security vulnerabilities, many of them simply haven’t implemented a range of recommended and updated web technologies designed to protect customers against vulnerabilities, and some of them display irregular handling of HTTPS addresses and forwarding.