How secure are banking websites in Ghana?
Many people put their trust in online banking services, believing that if a bank does online (Internet) banking, it MUST be secure because banks are trustable. Is this always the case?
All internet banking users, like you, access their online or internet banking websites using a web browser such as Internet Explorer, Firefox or Chrome.
The web browser is a software that allows you to communicate with your bank’s internet banking server at the comfort of your home via a home desktop computer, a laptop or a smartphone.
The privacy or security of communications between you (your browser) and the bank’s server is ensured via encryption. Encryption scrambles the content exchanged between your browser and your bank’s online banking server.
The best way to notice if your bank’s internet banking website is encrypting your communications is the display of a padlock appearing in the address bar of your browser when you’re online. Also, the website address displays as “https://www....” instead of http://www...”.
For example, when using the internet banking service of Ecobank Ghana, the address in your browser will be https://rib.ecobank.com/retailbanking/EGHLogin.html. Note that the address begins with https:// and NOT http://. This should give you some level of comfort because it means whatever information you will exchange between your computer and Ecobank is encrypted and secure.
The ‘s’ in https stands for the secure sockets layer or transaction layer security, which is the protocol that encrypts the content between your browser and your bank’s server.
So the intention of this article is NOT to cause panic in any bank customer as all banks tested, at least, showed secure online banking website for now. But the question is, how secure is the encryption process between your browser and your bank’s website? Is the level or strength of encryption good enough? Can the communications be intercepted by attackers without much difficulty?
We want to demonstrate to you in this article how your bank’s online banking website is faring security-wise using a well-known vulnerability scanning tool in information security circles known as Qualys SSL Labs SSL Test. This PCI DSS approved vulnerability scanning tool will tell us if your bank’s website encryption protocol is secure enough. The same tool is available to the banks to use to conduct their own test at no cost.
Qualys is a provider of information security and data privacy legal compliance and related software based in California in the United States. Founded in 1999, Qualys was the first company to deliver vulnerability management solutions as applications through the web using software as a service (SaaS) model.
The objective of these tests on Ghanaian internet banking websites is to stimulate discussions on whether banks in Ghana are taking information security matters seriously, especially on their public facing websites that interface with internal customer financial records.
How can customers of financial institutions assure themselves that information or content exchanged between themselves and their banks travel on secure channels? How secure is the secure channel your bank has employed?
Today, we’ll be looking at HTTPS vulnerabilities and we will analyse Ghana’s top banks, and we will find some shocking results. The score range is A to F. A is excellent and F is Fail. The score of your bank’s online banking website should send a signal that hackers COULD attack the website with the relative difficulty of the score. However, it does not necessarily mean your bank’s internet banking website is insecure. It is only measuring the strength of security provided by your bank for your online transactions.
All the tests were conducted on June 18, 2014 by El Cuto Consult Limited.
Standard Chartered Bank Ghana, grade A
StanChart scored grade A- for each of its two domains/servers – https://s2b.standardchartered.com (for straight2bank coporate banking) and https://online-banking.standardchartered.com (for personal banking).
The only thing that prevented them from scoring excellent (A) is the fact that their servers do not support forward secrecy which gives long term protection of private keys of the servers even when compromised.
Barclays Bank Ghana (https://www.gh.secure.barclays.com) also scored A- like StanChart but had an additional issue to what StanChart showed; being the fact that RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger ciphers are available.
Banks such as UBA, Unibank and Prudential were graded B for either all or some of the reasons following
The server supports only older protocols but not the current best TLS 1.2, the server does not support Forward Secrecy with the reference browsers, the server does not mitigate the CRIME attack.
And for either all or some of the following reasons, banks such as ADB, Zenith, Energy, Stanbic, Access, UT and First Capital Plus scored grade C
The server supports only older protocols but not the current best TLS 1.2, the server does not support Forward Secrecy with the reference browsers, there is no support for secure renegotiation, the server does not mitigate the CRIME attack.
Giants GCB and Ecobank, and others like HFC, Bank of Africa, GT, SG, Sahel Sahara, Cal, NIB, First Atlantic and the newly acquired UMB all scored grade F for either all or some of the following reasons
The server supports SSL 2q which is obsolete and insecure, the server is vulnerable to MITM attacks because it supports insecure renegotiation, the server does not mitigate the CRIME attack, the server supports only older protocols but not the current best TLS 1.2, there is no support for secure renegotiation, the server does not support Forward Secrecy with the reference browsers, the server's certificate is not trusted, the server is vulnerable to the Heartbleed attack.
Additional Information
All the banks we scanned, except First Atlantic, are NOT vulnerable to the Heartbleed attack which became popular in some recent years.
Scan on Fidelity bank’s online banking site (https://fbldtcwllsvr01.fidelityibank.com (41.202.8.26)) displayed this error message; Assessment failed: No secure protocols supported.
Conclusion
Strong regulation is key in data protection and security. It is our hope that this publication will awaken the need to improve information security in Ghanaian companies, especially financial, telecom, insurance and aviation sectors where online banking and online payments are taking shape.
This will create technology jobs and also help to prevent huge occurrences of internet fraud in Ghana.
Meanwhile, El Cuto Consult Limited is an Information Technology solutions and mobile value added services provider based in Accra, stressed the need for cyber security to be taken more seriously.
It also called for a well-laid down data protection regulations and standards.