More than half of banks and building societies in the UK are leaving their online customer login pages vulnerable because of insecure SSL instances, according to security experts at Xiphos Research.
Xiphos examined the SSL certificate instances associated with the secure login function at a host of British retail banks and building societies, as well as foreign-owned outfits operating in the UK, by anonymously submitting URLs to the SSLLabs service from Qualys.
Of 22 UK-owned banks, half were found to have insecure SSL instances, while 51% of 37 building societies also had issues, and more than three quarters of foreign-owned outfits were found to have problems. Of the 84 SSL instances, 12 of them (or 14%) were rated by SSLLabs as bottom of the class F.
In a blog, Xiphos co-founder Mike Kemp says that the firm is not naming and shaming the offenders because since carrying out the research in November it has struggled to contact and warn them.
With security contact details difficult to procure, the firm approached the Financial Conduct Authority for help, only to be rebuffed because of “security reasons”. The UK National Crime Agency has also been informed.
Says Kemp: "As things stand, over 50% of banks and building societies in the UK have weak SSL implementations associated with their secure login functions. And the impacted parties don’t seem to care."