BolehVPN’s exposé of e-banking security flaws in Malaysia

• BolehVPN’s SSL test on banks throws up interesting results; Grade F for most popular site
• Constant change to keep security a step ahead, but customers should have safe practices too

AN interesting blog post by the people who run virtual private network (VPN) service provider BolehVPN threw up some surprising results on Oct 29.
 
The VPN provider said it looked at HTTPS vulnerabilities and analysed Malaysia’s top banks, finding some “shocking results.”
 
Testing the e-banking sites of a large number of Malaysian banks, specifically for HTTPS vulnerabilities, eyebrows were raised when the tests, done using Qualys SSL Labs SSL Test, it came up with a Grade F for both Maybank2u.com, the most popular Internet banking site in Malaysia, and Maybank2e.net, meant for enterprise customers.
 
HTTPS or Hypertext Transfer Protocol Secure is a communications protocol for secure communications.
 
To its credit, Maybank took immediate steps to rectify the problem, and by the next day, got an A grade for both sites. BolehVPN has duly updated its post.
 
But BolehVPN’s post does throw some light on how complex and dynamic the equation is for banks as they try to balance ease of use with the responsibility of ensuring customers can bank digitally, be it via mobile or desktop, with peace of mind.
 
While he says the bank welcomes the feedback from BolehVPN, Mohd Suhail Amar Suresh (pic), head of virtual banking at Maybank, says: “In reality, Maybank’s online banking system is very complex and incorporates comprehensive systems to mitigate the risks through other means, so that the bank is able to serve mass clients who use different Internet browsers to perform their online banking transactions.”
 
Suhail feels that the findings need to be looked at in perspective, as he believes BolehVPN’s testing does not reflect the entire security posture of M2u and M2e.
 
“The testing tool used by BolehVPN, while effective to test the SSL connections of websites, cannot, in our view, be used to assess the overall security, confidentiality and protection levels of our online banking services,” he says.
 
SSL or Secure Sockets Layer is the technology used to establish an encrypted link between a server and a client.
 
Suhail says that in the case of M2u, the logins and transactions to Maybank servers can only use SSL version 3 with strong encryption (128-bit key strength), which is on par with industry best standards.
 
“SSL Version 2.0 is only allowed to deliver warning messages back to our customers using old browsers,” he says.
 
“The diversity of browsers is permitted as it is in line with the bank’s quest to be customer-centric and humanising our services to cater for differing customer technology backgrounds,’ he adds. “Note that it was due to the continued use of SSL Version 2.0 that dragged Maybank to the initial F grade.”

Suhail goes on to say that, with regard to M2e, the risk exposure is minimum as Maybank has layered security controls to protect customer information.
 
“Moreover, multi-level authentication is required prior to login to the system and a user can only view his or her organisation’s data. Where applicable, a one-time password (OTP) is also required for transaction authorisation,” he says.

He acknowledges that a lot more goes under the hood in ensuring online security. But many of the initiatives cannot be shared in detail in order to maintain confidentiality, he adds.
 
That’s the same point that made by Victor Khor (pic), executive vice president and head of Group Transaction & Alternate Banking at Alliance Bank Malaysia Bhd.
 
Alliance received an A grade during BolehVPN’s SSL testing, but BolehVPN highlighted that the bank doesn’t support secure re-negotiation, the latest Top Layer Security (TLS), and might not have updated its security in a while.
 
Khor says that this is not true as the bank hires independent consultants to conduct a quarterly penetration test on all components. Vulnerabilities are then addressed based on a low- to high-risk priority scale.
 
All security updates are prioritised, tested and rolled out under a planned migration approach.
 
He requested however that Digital News Asia not share when it did its last quarterly scan. “You don’t want to give unnecessary information away,” he says.
 
Commenting on not supporting secure re-negotiation, which can be likened to a handshake between client and web server, he points out that the data that has not been transmitted yet. Data transmission is actually encrypted under SSL3 (latest) which addresses the data security.
 
“Secure re-negotiation does not expose our clients to security breach; the latter has more to do with Distributed Denial of Service or DDoS attacks, which affect the bank's service availability. On this point, Alliance has implemented the necessary firewalls and intrusion prevention systems where needed.”
 
To do this well, the bank adopts a holistic ‘defence-in-depth’ approach, he says. A term originating from the military, this is a multi-layered security designed to defend in depth.
 
“At any point in time, different components require different updates, which we adopt on a constant phased approach,” Khor claims.
 
Consumer the weakest link
 
Indeed ‘constant’ best describes how banks approach the security of their online banking sites. There is no taking the eye off the ball after any upgrade is done as there are always pieces of the security puzzle that need to be upgraded.
 
When asked what banks should do to ensure best practise for their HTTPS security, Goh Su Gim (pic), security advisor for Asia at cybersecurity company F-Secure, says they should regularly engage in penetration testing by third parties to ensure their Internet-facing services are always tested against latest exploits, or weak programming practices.
 
“Vulnerabilities are always discovered in operating systems and web servers – running this test would ensure they are kept up to date against the latest attack,” he says.
 
The biggest irony of any flap about security concerns of online banking is this – the weakest link is still the consumer.
 
“In the world of online banking, and our experience, most of the attacks are not this technical against a weakness in HTTPS, but merely infect a victims’ PC with a banking trojan, and with that, they can key-log everything users would type when logging into their online banking accounts or make a purchase on an Internet store, inputting their details and credit card details,” says Goh.
 
“Consumers should be educated about keeping their PCs, tablets or smartphone free of malware and trojans through the use of security software such as antivirus products. Of course, they should be educated and made aware of basic steps going online, such as not falling for scams or deals by clicking on suspicious phishing links,” he adds.
 
Is there a testing tool to grade us, the users?
 
Related Stories:
 
F-Secure adds security layer for banking
 
Scammers in Malaysia up their game with social engineering
 
 
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.