Polish banks & SSL

Innovative as polish bank

Banks operating in Poland are on the top of world innovation. They already go out of their way to offer modern solutions - mobile banking and smartphone payments. Blik payments, for example, has been built from scratch. Visa and MC did not participate in the project, which can be considered global phenomenon.

Banks also invests in to other mobile payment systems. At present they use latest technology - HCE - to implement payments using smartphones. They give up SIM-based solutions.

innovative-polish-bank

But still many customers use Web browser installed on PC in order to get access to their bank accounts. Let’s check if it’s safe.

Is green padlock safe?

HTTPS - is a communications protocol for secure communication over a computer network which is widely used on the Internet - Wikipedia

green-padlock

For many users HTTPS is a way to secure communication with a website. It gives you nice green padlock and it means all is safe with that website, you can trust it and you are free to provide credit card details, paste copy of your ID and such.

The truth is that green padlock simply represents that traffic to/from the website is encrypted. Simple as that.

“So… I’m safe, right?” - There is no simple answer to that question. Imagine main entrance to your house. Is it burglar-resistant? How tough are the doors itself? How many locks and latches do you have? If the door stopped one thief, will they stop the next one? Better equipped than the previous one?

Long story short - encryption can be implemented in many different ways. I will skip the technical details. Fortunately, there are many websites around that can perform deep analysis of the web server SSL configuration and provide results in a nice way. I list them at the end of the article.

Purpose of this article is to focus on (potential) problems with SSL configuration on web servers that are used by polish customers to access their financial informations, bank accounts and such.

Results

Name URL Grade (ssllabs.com; securityheaders.io)
Alior Bank https://aliorbank.pl/hades/do/Login A; E
Alior Bank - kantor walutowy https://kantor.aliorbank.pl/login?language=en C; F
Bank Millenium https://www.bankmillennium.pl/osobiste2/LoginSignIn A+; —
Bank Pekao https://www.pekao24.pl/ClientLogon.html A; D
Bank Pocztowy https://www.pocztowy24.pl/cbp-webapp/login A; E
Bank Zachodni WBK - BZWBK24 https://www.centrum24.pl/centrum24-web/login A; B
Bank Zachodni WBK - iBiznes24 https://ibiznes24.pl/bzwbk24biznes-client/login.html A+; B
BGŻ BNP Paribas - klienci biznesowi https://biznesplanet.bgzbnpparibas.pl/ A; F
BGŻ BNP Paribas - klienci indywidualni https://planet.bgzbnpparibas.pl/ A; F
BGŻ BNP Paribas - serwis klientów dawnego Sygma Bank https://sygmaonline.bgzbnpparibas.pl/ C; F
BOŚ Bank https://bosbank24.pl/twojekonto A; A
BOŚ Bank - klienci korporacyjni https://bosbank24.pl/iboss A; A
Citi Handlowy - CitiDirect https://portal.citidirect.com/portalservices/forms/login.pser? A; F
Citi Handlowy https://www.citibankonline.pl/apps/auth/signin/ A; F
Credit Agricole - CA24 Biznes https://ca24biznes.credit-agricole.pl/Login/Login?ReturnUrl=%2F C; B
Credit Agricole - Firm@Bank https://firmabank.credit-agricole.pl/mt-front/ C; F
Credit Agricole https://e-bank.credit-agricole.pl/ C; F
Deutsche Bank - klienci indywidualni https://dbeasynet.deutschebank.pl/frontend-web/app/auth.html#/de/authentication/login A; F
Deutsche Bank - klienci indywidualni, stara wersja https://ebank.db-pbc.pl/auth/login.jsp A; D
Deutsche Bank - klienci korporacyjni - autobahn https://autobahn.db.com/login A; D
Deutsche Bank - klienci korporacyjni - db-direct https://db-direct.db.com/ A; F
eurobank https://online.eurobank.pl/nbi/bezpieczenstwo/logowanie C; D
Getin Bank - firmy https://korporacja.gb24.pl/ceb-web/pages/login.jsp A+; E
Getin Bank https://secure.getinbank.pl/#index/index A+; C
Idea Bank https://secure.ideabank.pl/ A; C
Idea Bank - Idea Cloud https://sso.cloud.ideabank.pl/ A+; E
ING Bank - Business - eToken/karta https://login.ingbusinessonline.pl/ing2/do/CertLogin A; —
ING Bank - Business - login/hasło https://start.ingbusinessonline.pl/ing2/do/sms A+; C
ING Bank https://login.ingbank.pl/mojeing/app/#login B; B
Inteligo https://inteligo.pl/secure A; F
mBank https://online.mbank.pl/pl/Login A+; D
Nest Bank https://online.nestbank.pl/bim-webapp/login C; E
Noble Bank https://secure.noblebank.pl/#index/index A+; C
Orange Finanse https://orangefinanse.com.pl/or/Login A+; D
PKO Bank Polski - klienci biznesowi https://www.ipkobiznes.pl/kbi A; F
PKO Bank Polski - klienci indywidualni https://www.ipko.pl/ A+; E
T-Mobile Usługi Bankowe https://online.t-mobilebankowe.pl/ib/login.html A; F
T-Mobile Usługi Bankowe - nowa wersja https://system.t-mobilebankowe.pl/web/login A; C

Summary

All banks provides trusted & valid Server Keys and Certificates. None of them is vulnerable to popular attacks (like POODLE, BEAST), sometimes they use 64-bit block ciphers, vulnerables to birthday attack (more info) - I guess it’s due to backward compatibility with old web browsers (IE 8 / XP).

However, it would be good to review HTTP headers configuration on web servers. Many banks are still missing X-XSS-Protection header (fortunately, Content-Security-Policy is enabled, but what if old web browser does not support CSP?) that enables built-in reflective XSS protection. I also encourage to take a look at Public-Key-Pins header. This one is used to deliver cryptographic identities that browser should accept from the host. Of course you can trust Certificate Authorities (CAs) in your trust store, delivered with your PC, but what if one gets compromised?

Tools

References

 
comments powered by Disqus