Only 3 sites passed our Milwaukee County bank website security review. Who passed and who failed?

The following are results and analysis of a snapshot of SSL Labs Server Tests of Milwaukee county’s state chartered banks’ web servers performed June 2nd, 2015.

View full-screen in a new tab

Results are sorted by:

1. Grade (A to F followed by sites that don’t use secure protocols & failures), then by
2. Number of failed tests (ascending), then by
3. Bank name

Clicking the name of the bank in column A will take you to the SSL Labs report page for that bank’s website  or 3rd party service it uses for online banking (that is why most of the bank names and domains tested in the report don’t directly match.)

Findings

3rd party services are prevalent

As far as I could tell, none of these banks used their own services for managing the actual financial portion (online banking, credit card processing, online deposits, etc.).  They all outsourced to 3rd party services, which you’d think would be more secure since many clients are managed from the same service.

From a confidence and usability standpoint, it should be noted that none of these banks inform or disclose that the user will be redirected to a 3rd party service.

The F (many issues including SSL 2 enabled)

Waterstone Bank’s website got the one and only F grade.   Their server still supports SSL 2, which is obsolete and insecure.  This alone capped their grade to F.  They were also one of two that had SSL 3 enabled.

Additionally, the HTTP version of their site doesn’t automatically redirect to the HTTPS version, which wouldn’t do them much good at this point.  I didn’t go through all the pages, but there doesn’t appear to be any user information that passes through the HTTP or F-grade-receiving-HTTPS-page.  The Account Access links for business and consumer banking link directly to the 3rd party service via HTTPS.

The only A

Metavante’s RemitPoint solution used by Park Bank earns the only A grade.  According to this press release, RemitPoint provides “a centralized image-based remittance processing service.”  The only way for them to get an A+ is to enable HTTP Strict Transport Security support with a max-age of at least 6 months.

Two A- Websites (the other 2 of 3 A grades)

So there is only one bank’s website (not the portion where the online banking occurs) that received an A- grade.  Congrats to Layton State Bank.

Also, only one 3rd party banking service, Park Bank Business Credit Card – Administrator from FIS received an A- grade.

Neither support Forward Secrecy which would boost their respective scores.

 The grade breakdown

• A grade (A or A-): 3/20 – 15%
• B grade: 2/20 – 10%
• C grade: 14/20 – 70%
• D grade: 0/20 – 0%
• F grade: 1/20 – 5%

No secure protocols supported: 2

Assessment failures: 2

Sites without secure protocols

The first is Columbia Savings and Loan Association’s website, which is purely informational.  There are no links to online banking or other login fields for customers.  However, the “Owner Login” link does not target a HTTPS page nor does the login form within.

The second is The Equitable Bank’s website.  The “Access ID” field targets a secure endpoint, but the page itself isn’t secure.  Fortunately, the account password isn’t requested until the 3rd party service’s secured page.

Logjam (95% pass rate)

Information about the latest vulnerability, the Logjam attack was published last month (May 20, 2015).  I wanted to highlight those results specifically in this project.

There was one server that didn’t pass the WeakDH.org server test.  The Park Bank Personal Credit Card service from First Bankcard got the warning about using a common 1024-bit DH prime.  I thought about adding a “Warning” type to Pass/Fail, but decided that anything that wasn’t a pass was a failure.

“Warning! This site uses a commonly-shared 1024-bit Diffie-Hellman group, and might be in range of being broken by a nation-state. It might be a good idea to generate a unique, 2048-bit group for the site.”

Things I’d never seen before

In interesting report to look at is the one for Park Bank Merchant Card Processing.  It was the first time I saw the notification “This site is intolerant to newer protocol versions, which might cause connection failures.”

It also only allows for one cipher suite TLS_RSA_WITH_AES_256_CBC_SHA (0x35).  The fewest I had seen before was 3.

The other result I hadn’t encountered was “Assessment failed: Cipher suite support test failed” which occurred on the Points2U test.

Why so many C’s?

If many of you are familiar with these types of analyses, you will notice many more “C” grades than before.  SSL Labs, since the 5/20/15 1.17.10 version release, is penalizing the RC4 cipher when used with TLS 1.1+ more now and not supporting TLS 1.2 caps the grade to a C from a B previously.  Full information on the ratings is available here (PDF).

Date performed: 6/2/15

Sites tested: 24

Data sources

• State charted banks, Milwaukee county: https://www.wdfi.org/fi/banks/licensee_lists/advancedsearch.asp?txtSearchText=Milwaukee&mnuSearchBy=County&btnSubmit=Search&mnuSearchUsing=AnyWords
• Company providing ezbusinesscardmanagment.com service: http://www.whois.com/whois/ezbusinesscardmanagement.com

Tools

• https://www.ssllabs.com/ssltest/ v1.18.1
• https://weakdh.org/sysadmin.html

Similar posts and analysis

• http://www.troyhunt.com/2015/05/do-you-really-want-bank-grade-security.html
• https://damieng.com/blog/2015/05/16/quality-of-ssl-protection-for-us-financial-institutions

Tangential articles (coming soon)

• Fiserv
• Wisconsin Department of Financial Institutions