Tuesday, April 19, 2016

[RESEARCH] SSL Certificate Grading of Banks in Hong Kong

In order to understand the information security condition in Hong Kong, I select website of banks in Hong Kong for SSL certificate checking. The check is aimed for testing the strength of the SSL certificate, Man-In-The-Middle attack prevention and vulnerability. The web application vulnerability and corporation online banking are not in the testing scope. However, most SSL certificates may be shared with sub-domains.

The check are based on "List of Banks In Hong Kong". I use Qualys SSL Labs online testing tool for the check.

The result of the check (the check is carried out on April 19, 2016) is rated in SSL Grade Ranking :

Grade A
DBS Bank (Hong Kong) 星展銀行(香港)

Grade A-
(1) Bank of China (Hong Kong) 中國銀行(香港)
(2) Bank of East Asia 東亞銀行
(3) China Construction Bank (Asia) 中國建設銀行(亞洲)
(4) Chong Hing Bank 創興銀行
(5) Citibank (Hong Kong) 花旗銀行
(6) Dah Sing Bank 大新銀行
(7) Fubon Bank (Hong Kong) 富邦銀行(香港)
(8) OCBC Wing Hang Bank 華僑永亨銀行
(9) Public Bank (Hong Kong) 大眾銀行(香港)
(10) Standard Chartered Bank (Hong Kong) 渣打銀行

Grade C
(1) Hang Seng Bank 恒生銀行
(2) Hongkong and Shanghai Banking Corporation 滙豐銀行
(3) Industrial and Commercial Bank of China (Asia) 工銀亞洲
(4) Shanghai Commercial Bank 上海商業銀行
(5) Wing Lung Bank 永隆銀行

Grade F
China CITIC Bank International 中信銀行國際

The following three banks are implemented HSTS (HTTP Strict Transport Security) to force the users' browser to use HTTPS connection. This has some degree of Man-In-The-Middle attack (MITM) protection. However, the HPKP (HTTP Public Key Pinning) is not implemented. Therefore, it has a risk of being attacked by MITM attack. Meanwhile, China CITIC Bank International 中信銀行國際 website has POODLE vulnerability for the SSL protocol that makes her grading down to F.

(1) China CITIC Bank International 中信銀行國際
(2) Chong Hing Bank 創興銀行
(3) Fubon Bank (Hong Kong) 富邦銀行(香港)

Even the highest ranking DBS Bank (Hong Kong) 星展銀行(香港) do not implement HPKP (HTTP Public Key Pinning), she has a risk to face Man-In-The-Middle attack even she used HSTS. Attackers can use fake SSL certificate to bypass HSTS protection when HPKP is not in force.

It is very interesting that the largest bank in Hong Kong (Hongkong and Shanghai Banking Corporation 滙豐銀行) only bearing a Grade C rank. I wonder why no website of banks in Hong Kong bearing a Grade A+ SSL certificate even my personal site is grading A+.

[Edit after several hours of the post :
I think the IT department of the banks may misunderstand or may be not fully understood the purpose of SSL certificate for a website. In addition, they may even do not know the limitation of HSTS that can be bypassed by the attackers. In my opinion, the best practice of SSL certificate implementation is to adopt the HPKP to reduce the MITM attacks risk at the moment.

The low grading of the rank is not the excuse of backward compatible to old browsers. To compatible to old or vulnerable browsers will void the security of the website for sure. Some low grading website of the banks even compatible to insecure protocol (RC4 {please refer to the bottom of this article for details}) which will place a trap to their clients.]

In conclusion, all website of banks in Hong Kong are facing a risk of being attacked by Man-In-The-Middle attack. As reference to this result, it is predicted that most websites in Hong Kong are not good at SSL Grading.

REFERENCE

I only check the licensed banks incorporated in Hong Kong. The following is the summary of the checking :

Bank of China (Hong Kong) 中國銀行(香港)
- Personal Customers - https://its.bochk.com/login/ibs_lgn_index_e.jsp
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=its.bochk.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Bank of East Asia 東亞銀行
- Cyberbanking - https://mobile.hkbea-cyberbanking.com/servlet/FRLogon?Lang=Eng
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=mobile.hkbea-cyberbanking.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

China CITIC Bank International 中信銀行國際
- Personal - https://ibanking.cncbinternational.com/CKWPortal/appmanager/Portal/CKWPerson?isPPB=0&displayLang=en_US
- Overall Rating - F (https://www.ssllabs.com/ssltest/analyze.html?d=ibanking.cncbinternational.com)
- Vulnerable to POODLE (TLS) and HPKP is not in force. But HSTS is in force.

China Construction Bank (Asia) 中國建設銀行(亞洲)
- Personal Banking - https://online.asia.ccb.com/PersonalHKWeb/signin/SigninController.jpf
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=online.asia.ccb.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Chong Hing Bank 創興銀行
- i-Banking - https://www.ibanking.chbank.com/index0041.html
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=www.ibanking.chbank.com)
- No protocol vulnerability found and HSTS is in force. But HPKP is not in force.

Citibank (Hong Kong) 花旗銀行
- Online - https://www.citibank.com.hk/HKGCB/JSO/signon/DisplayUsernameSignon.do?locale=en_HK
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=www.citibank.com.hk)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Dah Sing Bank 大新銀行
- ebanking Personal - https://www.dahsing.com/eBank/jsp/login/ebank_id_login_frm.jsp
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=www.dahsing.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

DBS Bank (Hong Kong) 星展銀行(香港)
- iBanking - https://internet-banking.hk.dbs.com/IB/Welcome
- Overall Rating - A (https://www.ssllabs.com/ssltest/analyze.html?d=internet-banking.hk.dbs.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Fubon Bank (Hong Kong) 富邦銀行(香港)
- e-banking - https://www.ebank.fubonbank.com.hk/index0128J.html
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=www.ebank.fubonbank.com.hk)
- No protocol vulnerability found and HSTS is in force. But HPKP is not in force.

Hang Seng Bank 恒生銀行
- Personal e-Banking - https://e-banking1.hangseng.com/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDd-NQv1BDg2AXA1-PEE9zH2cTAwgAykcC5Q3CfCydDEy9LAzMDL39vNzMDGDyROh2dnf0MDH3AfLDPF0NPE2cTAxMfd0MDTyNCej288jPTdUvyA2NKHdUVAQA-SNG7A!!/dl3/d3/L2dJQSEvUUt3QS9ZQnZ3LzZfMEczVU5VMTBTRDBNSFRJN01DNDAwMDAwMDA!/
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=e-banking1.hangseng.com)
- No protocol vulnerability found but insecure RC4 protocol is in force. HSTS and HPKP are not in force.

Hongkong and Shanghai Banking Corporation 滙豐銀行
- Personal Internet Banking - https://www.ebanking.hsbc.com.hk/1/2/logon?LANGTAG=en&COUNTRYTAG=US
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=www.ebanking.hsbc.com.hk)
- No protocol vulnerability found but insecure RC4 protocol is in force. HSTS and HPKP are not in force.

Industrial and Commercial Bank of China (Asia) 工銀亞洲
- Personal/Private Banking - https://myebankasia.icbc.com.cn/icbc/perbank/index.jsp?areaCode=0110&dse_locale=en-US
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=myebankasia.icbc.com.cn)
- No protocol vulnerability found but insecure RC4 protocol is in force. HSTS and HPKP are not in force.

OCBC Wing Hang Bank 華僑永亨銀行
- Personal Customer - https://ebanking.ocbcwhhk.com/jsp/chs/personal/0830/errorInvalidDevice.jsp
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=ebanking.ocbcwhhk.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Public Bank (Hong Kong) 大眾銀行(香港)
- Net Banking - https://ebank.publicbank.com.hk/index0028.html
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=ebank.publicbank.com.hk)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Shanghai Commercial Bank 上海商業銀行
- Personal Internet Banking - https://www.shacombank.com.hk/ibanking/servlet/com.ibm.dse.cs.servlet.CSEstablishSessionServlet/customer/en_US
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=www.shacombank.com.hk)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Standard Chartered Bank (Hong Kong) 渣打銀行
- Online Banking - https://ibank.standardchartered.com.hk/nfs/login.htm?lang=en_US
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=ibank.standardchartered.com.hk)
- No protocol vulnerability found and HSTS is in force. But HPKP is not in force.

Wing Lung Bank 永隆銀行
- Personal Net Banking - https://www.winglungbank.com/EnNbMainR.html
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=www.winglungbank.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.


About Insecure RC4
Imperva Security Response to OpenSSL and TLS/RC4 Vulnerabilities
Killing RC4 (softly)

See Also : [RESEARCH] Banks In Hong Kong Running With What Services

That's all! See you.