5

I've been checking out various TLS certificates lately and noticed that most of the banks seem to have the following two issues:

1) They do not offer perfect forward secrecy

2) They are still using RC4

So far, all the ones I've checked (TD, JPMorgan, CIBC, Wells Fargo, Bank of America, ING/Tangerine, RBC) use

TLS_RSA_WITH_RC4_128_SHA

Though actually CitiGroup and Goldman Sachs are using AES in CBC mode with 256 bit keys, instead of RC4, but still, no forward secrecy, and I would think GCM+SHA256 is better than CBC+SHA, even with 128 bit keys vs 256.

On the other hand, google, facebook, linkedin, and bitcoin exchanges/sites do offer perfect forward secrecy (typically with ECDHE), and unanimously use AES in GCM mode with SHA256 and 128 bit keys.

So my question: why have our banks not upgraded their security, especially given recent attacks on RC4 (though they are mostly theoretical, they do point to possible issues, and RC4 is generally considered less secure than AES)? Also, why would they not offer perfect forward secrecy? Is that an oversight on their part, or possibly for regulatory reasons?

I nearly emailed my bank about this today, but figured I'd throw the question up here first. Of course, cyber attacks on banks are all the rage these days - they ought to use the best encryption they can.

Ethan
  • 153
  • 4
  • 2
    This is a good question and one I do not know the answer to. I do suspect, however, that it may have to do with the type of industry and how quickly changes are allowed to be implemented. Google, Facebook, etc are all very agile compared to most large corporations, so the comparison might be weighed in their favor. – David Houde Aug 29 '14 at 02:13
  • 2
    That's what I figured. Financial industry is typically very conservative. But it's been a few years now I think. And there's really no excuse for not staying up-to-date with security, especially when you're dealing with everyone's money. – Ethan Aug 29 '14 at 02:18
  • My guess is that it is due to a very simple reason, expenses. Banks are reluctant to upgrade their existing servers until their customers are actually concern about the low level of security provided. ECDHE and AES algorithms use more resources and hence, more money needs to be spent to upgrade their servers (which means less profit!). – jingyang Aug 29 '14 at 05:26
  • They may also be subject to PCI or other regulations that require defending "all known CVEs", and BEAST is still on the CVE list as severe even though it was never observed in the wild AND is well mitigated by 1/n-1, but the only demonstrable server defenses are TLS1.1 (which locks out some customers) or RC4. – dave_thompson_085 Aug 29 '14 at 09:54

2 Answers2

4

I guess the most concise answer to this question is: They are insured.

Currently industry standards don't require PFS and therefore insurances pay even if the bank had no PFS. There was a similar question on 30c3, about why the banks are using Windows XP as their operating system.

Those standards can also be a reason why banks can't implement new methods like PFS as fast as companies like Twitter, when every security measure needs to be audited and certified.

Another point would be that most attacks don't base on breaking the encryption, but on targeting the computer of the user itself.

user10008
  • 4,315
  • 21
  • 33
  • Yes I figured this as well: since they are insured, security doesn't actually matter, which is kind of an amazing ridiculous state of affairs. So I think I will go ahead and bring this up with my bank, at the very least to let them know that bitcoin companies are doing it better ;) – Ethan Aug 29 '14 at 02:33
  • 1
    @Ethan I don't think your bank will know much about bitcoins. Just say, *Twitter has better (online) security measures than you, and yet I trust you with my money.* Everybody knows what Twitter is, and that'll give a good 'ol slap in the face (hopefully). Honestly, I don't understand why they *aren't* using better certificates - they can't be that hard to implement, and they certainly aren't as expensive as an insurance claim (to my knowledge). – Chris Cirefice Aug 29 '14 at 02:37
  • agreed! I will do that for sure. But also, I like rubbing in the fact that a brand new decentralized digital currency is just so many times more secure than them. And their security people ought to know what bitcoin is. Otherwise, some financial security people they are. Besides, the first people to receive the email will probably not even know what TLS is ... – Ethan Aug 29 '14 at 02:39
  • On the other hand, maybe there is a regulatory reason? Maybe the security agencies don't want them to use PFS, or stronger encryption? Wouldn't be the first time... – Ethan Aug 29 '14 at 02:40
  • 1
    bitcoin uses sophisticated and elegant crypto, yet numerous bitcoin exchanges have been hacked or subverted http://www.theguardian.com/technology/2014/mar/18/history-of-bitcoin-hacks-alternative-currency and then the beautiful crypto guarantees your money is gone irrecoverably. Banks (in developed countries) have all that dull stodgy "regulation" and "supervision" with usually ugly websites and barely adequate crypto, and when they get hacked *or screw up internally which crypto doesn't fix* **you get your money back**. – dave_thompson_085 Aug 29 '14 at 09:55
  • The insurance aspect holds no water. Insurance companies aren't in the business to lose money. If a practice exposes them to additional loses, they would insist the client address it, or would charge the client more if they chose not to. Are banks even insured for individual transactions? – jjanes Aug 31 '14 at 20:47
  • @jjanes so there are currently no losses because of TLS? The first time the insurer has to pay, the insurer complains at the banks for low security standards, the banks fix this. But the banks don't move until their insurer sais so, and it seems the insurers see no risk in that. – user10008 Aug 31 '14 at 20:55
4

Banks are usually not known to work in an agile way and quickly follow the latest developments. Like with lots of other large companies there is lots of paper work involved if somebody tries to change something, which costs efforts, man power, time and thus money. I don't think that a system administrator just can decide to change the ciphers. Instead it must justify the change against upper management, it must be approved, then tested and then they need to find a maintenance window to apply the change.

Also, the technical side might not be as simple as just changing a cipher in the servers config. There might be load balancers involved which have only (hardware accelerated) support for a limited set of ciphers (mostly RC4 and DES3). Also they might deploy deep inspection IDS up front which can deal with RSA based key exchange provided they have the private key of the servers certificate. But this will not work any longer if the server uses (EC)DH key exchanges to provide forward security.

Together you have lots of management and technical challenges. And unless there are some requirements by law to use better ciphers, only few (if any) resources will be allocated for such a project, which means a change will take a long long time.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • This makes the most sense. Though my understanding is that hardware support for AES has been around for a while, though I wouldn't be surprised if banks are running on older servers. Not sure I understand the IDS point, since for the given session they can have the ephemeral DH key, though I suppose having a more frontward facing server deal with all those keys is a hassle and possibly even a security concern. Good answer. I will probably bother them about it anyways ;) – Ethan Aug 29 '14 at 07:00