Wednesday, May 03, 2017

[RESEARCH] How Secure of HSBC and DBS Web Sites Are?

Last year, I wrote an article about the SSL certificate grading of banks in Hong Kong. This time, I would like to choose DBS and HSBC for the research. It is because DBS was the highest SSL certificate grading at that time - Grade A while HSBC is the largest bank in Hong Kong even it was Grade C.

The Research

Since pentesting a target without written authorization is illegal, this research is only done on recon phase only. Therefore, it is an incomplete research. Be keep in mind that it is for reference only.

I have written an article about security headers of a web site, such as HSTS, HPKP and XSS Protection. You can refer to it if you do not know what securty headers are. The control web site for this research is my personal site which is consider to be secured.

DBS Bank (Hong Kong) 星展銀行(香港)

The ebanking login page (https://internet-banking.hk.dbs.com/IB/Welcome) is tested and find out that it is upgraded from A to A+ as HSTS security header is set properly this time. The cookie is also set to be secured. Meanwhile, it is still protected by Akamai (WAF/DDoS).

However, HPKP and XSS protection security headers are missing and setting not properly respectively. The site may be vulnerable to XSS and Man-In-The-Middle (MiTM) attack even HSTS is enforced.

Hongkong and Shanghai Banking Corporation (HSBC) 滙豐銀行

The ebanking login page (https://www.ebanking.hsbc.com.hk/1/2/logon?LANGTAG=en&COUNTRYTAG=US) is tested and find out that the grading is remained unchange - Grade C as TLS 1.2 is not set and RC4 cipher is used for older protocols as well as the VeriSign, Inc / Class 3 Public Primary Certification Authority is not set properly.

Meanwhile, HSTS, HPKP and XSS protection security headers are missing. Cookie is not security set properly. Therefore, it may be vulnerable to MiTM and XSS attacks.

Conclusion

If not set properly, HPKP will cause error when browsing. Therefore, most webmasters will not touch it in order to prevent the downtime. HSTS and XSS protection security headers as well as cookie secure settings are not difficult and there is no side effect. However, most webmasters are ignored those settings due to misconcept.

In my opinion, ebanking sites should be very secured in order to prevent the attacks.

Reference

Qualys SSL Labs
Security Headers
[RESEARCH] SSL Certificate Grading of Banks in Hong Kong
HOWTO : Secure Surfing
Green PadLock is Safe?

That's all! See you.