Wednesday, April 20, 2016

[RESEARCH] Banks In Hong Kong Running With What Services

After the research on SSL certificate grading on banks in Hong Kong, I am going to do another research on banks in Hong Kong to see what services they are running with, such as web server or protection. I am based on the List of banks in Hong Kong for the test. The standard site URL and personal online banking URL have been tested for the purpose. The web application vulnerability testing is not in the scope. The test is carried out on April 20, 2016.

DBS Bank (Hong Kong) 星展銀行(香港) and Standard Chartered Bank (Hong Kong) 渣打銀行 are running with Akamai which provides DDoS/DoS protection to their clients. Meanwhile, Akamai also provides Web Application Firewall (WAF) to their clients. WAF can protect the web applications from being attacked by SQLi, XSS, CSRF and etc, even the web applications have these kind of vulnerabilities. I will not discuss about the WAF bypass here. Anyway, WAF can do the job well in general speaking.

Public Bank (Hong Kong) 大眾銀行(香港) and Chong Hing Bank 創興銀行 are running with G2 Web Services which is also considered to provide secure services.

It seems that almost all the bank websites in Hong Kong are protected by firewall or/and WAF as I cannot fetch any information from some of the sites during the test. It does not mean that the sites that I can fetch information are not protected by firewall or/and WAF.

In conclusion, I am sure that DBS Bank (Hong Kong) 星展銀行(香港) and Standard Chartered Bank (Hong Kong) 渣打銀行 cannot be DDoS/DoS.

With reference to my previous research on SSL certificate, DBS Bank (Hong Kong) 星展銀行(香港) is the most secure bank in Hong Kong at the time of this writing. Their IT department is doing a great job on security. If their IT department can implement HPKP on the SSL certificate, it will be very great. Anyway, congratulations!

REFERENCE

The Personal Online Banking URL :

Bank of China (Hong Kong) 中國銀行(香港)
- Personal Customers - https://its.bochk.com/login/ibs_lgn_index_e.jsp
- System Details - Powered by: Servlet/3.0

Dah Sing Bank 大新銀行
- ebanking Personal - https://www.dahsing.com/eBank/jsp/login/ebank_id_login_frm.jsp
- System Details - Running on: Microsoft-IIS/7.5 and Powered by: ASP.NET

DBS Bank (Hong Kong) 星展銀行(香港)
- iBanking - https://internet-banking.hk.dbs.com/IB/Welcome
- System Details - Running on: AkamaiGHost

Public Bank (Hong Kong) 大眾銀行(香港)
- Net Banking - https://ebank.publicbank.com.hk/index0028.html
- System Details - Running on: G2

Shanghai Commercial Bank 上海商業銀行
- Personal Internet Banking - https://www.shacombank.com.hk/ibanking/servlet/com.ibm.dse.cs.servlet.CSEstablishSessionServlet/customer/en_US
- System Details - Running on: IBM_HTTP_Server

Standard Chartered Bank (Hong Kong) 渣打銀行
- Online Banking - https://ibank.standardchartered.com.hk/nfs/login.htm?lang=en_US
- System Details - Running on: AkamaiGHost

Wing Lung Bank 永隆銀行
- Personal Net Banking - https://www.winglungbank.com/EnNbMainR.html
- System Details - Running on: IBM_HTTP_Server

* The banks that not in the list are not getting any information during the test.


The standard site URL :

China CITIC Bank International 中信銀行國際
- http://www.cncbinternational.com/home/en/index.jsp
- System Details - Powered by: Servlet/2.5

Chong Hing Bank 創興銀行
- http://www.chbank.com/en/index.shtml
- System Details - Running on: G2

Dah Sing Bank 大新銀行
- http://www.dahsing.com/en/html/index.html
- System Details - Running on: Microsoft-IIS/7.5 and Powered by: ASP.NET

DBS Bank (Hong Kong) 星展銀行(香港)
- https://www.dbs.com.hk/index/default.page
- System Details - Running on: AkamaiGHost

Fubon Bank (Hong Kong) 富邦銀行(香港)
- http://www.fubonbank.com.hk/web/html/index_e.html
- System Details - Powered by: Servlet/3.0

Industrial and Commercial Bank of China (Asia) 工銀亞洲
- http://www.icbcasia.com/ICBC/%E6%B5%B7%E5%A4%96%E5%88%86%E8%A1%8C/%E5%B7%A5%E9%93%B6%E4%BA%9A%E6%B4%B2/EN/
- System Details - Running on: Microsoft-IIS/7.5 and Powered by: ASP.NET

Public Bank (Hong Kong) 大眾銀行(香港)
- http://www.publicbank.com.hk/en/home
- System Details - Running on: G2

Shanghai Commercial Bank 上海商業銀行
- http://www.shacombank.com.hk/eng/personal/index.jsp
- System Details - Running on: IBM_HTTP_Server

Standard Chartered Bank (Hong Kong) 渣打銀行
- https://www.sc.com/hk/
- System Details - Running on: AkamaiGHost

Wing Lung Bank 永隆銀行
- http://www.winglungbank.com/wlb_corporate/en/index.html
- System Details - Running on: IBM_HTTP_Server

* The banks that not in the list are not getting any information during the test.

That's all! See you.