banking-security-india Documentation

banking-security-india DocumentationRelease 0.5

~eternaltyro

Mar 26, 2017

Contents

1 Introduction 3

2 Contribute 5

3 To the attention of banks 7

4 License 9

5 Content 11

i

ii

banking-security-india Documentation, Release 0.5

Comparisons of security designs that are user-facing across public and private sector banks in India.

Contents 1


2 Contents

CHAPTER 1

Introduction

After several frustrating moments while using Internet-banking platforms for even the most basic stuff, I began doc-umenting how different banks handle user-side security. I was not-surprised to find that quite a few banks had severerestrictions on the quality of passwords the users can use. Several other banks even used the on-screen keypad in alaughable attempt to presumably thwart key-logging attacks.

I began documenting some of the parameters that define end-user security for different banks. I even ran a survey (thatreceived luke warm response) to crowdsource data about several banks. I compiled the data into a JSON file. ThenI stumbled upon Rodolphe Breard’s “bankageeks” project. That’s where I picked up the idea to present the data on“Read the docs”.

This project documents only the banks operating in India. If you wish to do a similar project for banks in your country,you can do so by forking this project.

3


4 Chapter 1. Introduction

CHAPTER 2

Contribute

If you find outdated, missing or erroneous information here, feel free to create a pull request to fix the errors yourself.You can also report the problem in the bugtracker.

5

https://help.github.com/articles/creating-a-pull-request/

https://github.com/eternaltyro/bank-security-india/issues


6 Chapter 2. Contribute

CHAPTER 3

To the attention of banks

The information presented here was compiled from crowdsourced data and from independent research. If you findthat any information here is erroneous, please refer to the ‘Contribute’ section to find out how you can fix the errorsyourself. If you feel that this information hurts your image, improve your services and update the information here.

7


8 Chapter 3. To the attention of banks

CHAPTER 4

License

This documentation is provided under the terms of GNU Free Documentation License (GNU FDL) version 1.3. Youcan find the full text for the license at https://gnu.org/licenses/fdl.html. A copy of the license is included with thesource in the LICENSE.txt file.

9

https://gnu.org/licenses/fdl.html


10 Chapter 4. License

CHAPTER 5

Content

Note: This document is still work-in-progress. I’m still trying to compile a lot of shit by myself. If you wanna helpout, get in touch :)

Bank Security India

Auth. SSL/TLS Passwords Mobile Apps.Allahabad Bank ? C3 ? ?Andhra Bank ? C ? ?Axis Bank ? C ? ?Bank of Baroda ? F ? ?Bank of India ? F ? ?Bank of Maharashtra ? F4 ? ?Bharatiya Mahila Bank ? F ? ?Canara Bank ? A- ? ?Catholic Syrian Bank ? F ? ?Central Bank of India ? C ? ?City Union Bank ? B ? ?Corporation Bank ? F ? ?Dena Bank ? F ? ?Development Credit Bank ? A- ? ?Dhanlaxmi Bank ? F ? ?Federal Bank ? B ? ?HDFC Bank ? F ? ?ICICI Bank ? C ? ?IDBI Bank ? F ? ?Indian Bank ? C ? ?

Continued on next page

11


Table 5.1 – continued from previous pageAuth. SSL/TLS Passwords Mobile Apps.

Indian Overseas Bank ? B ? ?Indusind Bank ? F ? ?ING Vysya Bank ? F ? ?Jammu and Kashmir Bank ? C ? ?Karnataka Bank ? B ? ?Karur Vysya Bank ? F ? ?Kotak Mahindra Bank ? F ? ?Lakshmi Vilas Bank ? B ? ?Nainital Bank ? F by script ? ?Oriental Bank of Commerce ? F ? ?Punjab and Sind Bank ? F ? ?Ratnakar Bank ? F ? ?South Indian Bank ? B ? ?State Bank of India1 ? C2 ? ?Syndicate Bank ? F ? ?TamilNad Mercantile Bank ? F ? ?UCO Bank ? F ? ?Union Bank of India ? F ? ?Vijaya Bank ? C ? ?Yes bank ? C ? ?

ssl tests

Note: This page documents the SSL quality for different banks. It also details the attacks the sites are vulnerable to.

Bank Security India

GRADE RC4 / MD5 ATTACKS SSLv3 /SSLv2

Forward Se-crecy

COMMENTS

AllahabadBank

CRC4-SHA;RC4-MD5

None Good No www.allbankonline.in

Andhra Bank CRC4-SHA;RC4-MD5

BREACH;POODLE

SSLv3 NoTLSv1.2 /TLSv1.1 notsupported;

www.onlineandhrabank.net.in;Weaksignature


3 https://www.ssllabs.com/ssltest/analyze.html?d=allbankonline.in4 Ports open plus site inaccessible1 Includes State Banks of { Bikaner and Jaipur | Hyderabad | Mysore | Patiala | Travancore}.2 https://www.ssllabs.com/ssltest/analyze.html?d=onlinesbi.com

12 Chapter 5. Content

https://www.ssllabs.com/ssltest/analyze.html?d=allbankonline.in

https://www.ssllabs.com/ssltest/analyze.html?d=onlinesbi.com


Table 5.2 – continued from previous pageGRADE RC4 / MD5 ATTACKS SSLv3 /

SSLv2Forward Se-crecy

COMMENTS

Axis Bank C RC4-SHABEAST?;POODLE

SSLv3 No

axisbank.co.in;

TLS_FALLBACK_SCSVsupported(againstdowngradeattacks)

Bank of Bar-oda

F/CRC4-SHA;RC4-MD5? BREACH?(www);

POODLE

SSLv2 onwww;SSLv3;

No1

TLSv1.2 /TLSv1.1 notsupported;

www.bobibanking.com/intl.bobibanking.com

Bank of India F ? ? ? ? ?Bank of Ma-harashtra

F ? ? ? ? ?

BharatiyaMahila Bank

F ? ? ? ? ?

Canara Bank A- ? ? ? ? ?Catholic Syr-ian Bank

F ? ? ? ? ?

Central Bankof India

C ? ? ? ? ?

City UnionBank

B ? ? ? ? ?

CorporationBank

F ? ? ? ? ?

Dena Bank F ? ? ? ? ?DevelopmentCredit Bank

A- ? ? ? ? ?

DhanlaxmiBank

F ? ? ? ? ?

Federal Bank B ? ? ? ? ?HDFC Bank F ? ? ? ? ?ICICI Bank C ? ? ? ? ?IDBI Bank F ? ? ? ? ?Indian Bank C ? ? ? ? ?Indian Over-seas Bank

B ? ? ? ? ?

IndusindBank

? F ? ? ? ?


5.1. Bank Security India 13


Table 5.2 – continued from previous pageGRADE RC4 / MD5 ATTACKS SSLv3 /

SSLv2Forward Se-crecy

COMMENTS

ING VysyaBank

? F ? ? ? ?

Jammu andKashmirBank

? C ? ? ? ?

KarnatakaBank

? B ? ? ? ?

Karur VysyaBank

? F ? ? ? ?

KotakMahindraBank

? F ? ? ? ?

LakshmiVilas Bank

? B ? ? ? ?

NainitalBank

? F by script ? ? ? ?

OrientalBank ofCommerce

? F ? ? ? ?

Punjab andSind Bank

? F ? ? ? ?

RatnakarBank

? F ? ? ? ?

South IndianBank

? B ? ? ? ?

State Bank ofIndia2

? C [#onli-nesbi]_

? ? ? ?

SyndicateBank

? F ? ? ? ?

TamilNadMercantileBank

? F ? ? ? ?

UCO Bank ? F ? ? ? ?Union Bankof India

? F ? ? ? ?

Vijaya Bank ? C ? ? ? ?Yes bank ? C ? ? ? ?

AXIS Bank

Note: This used to be called UTI bank. It’s a private sector bank with a modern Internet Banking interface.

Warning: None.

1 PFS offered only on www site only with very modern browsers. (0xc013; 0xc014)2 Includes State Bank of *



Configuration SSL/TLS

• Qualys SSL Labs: A

Note: Uses SSLv3; Uses RC4; Forward secrecy not enabled;

Chip and PIN

• Chip and PIN cards offered;

Authentication

• Minimum Password Length: 8 ;

• Maximum Password Length: 28 ;

• Right click allowed;

• Copy Paste disabled;

• Virtual Keyboard provided;

Note: While pasting from clipboard into the password field is not allowed in the primary Internet Banking site, thepayment-gateway site DOES allow pasting passwords into the input box.

Mobile Application

Link: Android application

Permissions for Android

• Device & app history

– device status and history

• Identity

– find accounts on device

• Calendar

– read calendar events plus confidential information

– add or modify calendar events and send emails to guests without owners’ knowledge

• Contacts

– read your contacts

• Location

– network based location

– GPS based location

• SMS

– Send SMS messages

• Phone


https://www.ssllabs.com/ssltest/analyze.html?d=www.axisbank.co.in

https://play.google.com/store/apps/details?id=com.axis.mobile


– Directly call phone numbers

– read call log

• Photos / Media / Files

– test access to protected storage

– modify or delete SD card contents

• Camera

– take pictures and videos

• Wi-Fi connection information

– view Wi-Fi connections

• Device ID & call information

– Read phone status and identity

• Other

– run at startup

– control flashlight

– prevent phone from sleeping

– view network connections

– read Google service configuration

– full network access

– connect and disconnect from WiFi

– control vibration

Bank of Baroda

Note: None.

Warning: None.


• Qualys SSL Labs: F

GRADE FATTACKS POODLE; BEAST; FREAK;RC4 / MD5 RC4-SHA; RC4-MD5SSLv2 OfferedSSLv3 OfferedTLSv1.2 NopePFS Nope


https://www.ssllabs.com/ssltest/analyze.html?d=bobibanking.com


Caution: This thing is a disaster! Offers SSLv2 AND SSLv3; Does not offer TLSv1.2

Note: Uses RC4; Forward Secrecy not supported.

Chip and PIN

All cards have Chip and PIN.

Authentification



• Maximum Password Length Limited to 28 characters ;

Mobile Application

HDFC Bank

Note: None.

Warning: None.


• Qualys SSL Labs: F

Warning: Server vulnerable to POODLE attack.

Note: Uses RC4; Forward Secrecy not supported;

Chip and PIN


Authentification





https://www.ssllabs.com/ssltest/analyze.html?d=netbanking.hdfcbank.com&latest


Mobile Application



• Identity


• Location

– approximate location (network based)

– precise location (GPS based)

• SMS

– Read your text messages

– edit your text messages

– Receive SMS messages

• Phone

– directly call phone numbers



– read contents of SD card



• Other

– receive data from Internet

– run at startup




ICICI Bank

Note: None.

Warning: None.


https://play.google.com/store/apps/details?id=com.snapwork.hdfc



• Qualys SSL Labs: C

Note: Uses RC4; Forward Secrecy not enabled.

Chip and PIN


Authentification




Mobile Application




– retrieve running apps

• Identity


– add or remove accounts

• Contacts


• SMS

– Read your text messages


• Phone

– read call log



– read contents of SD card





• Other


https://www.ssllabs.com/ssltest/analyze.html?d=infinity.icicibank.com

https://play.google.com/store/apps/details?id=com.csam.icici.bank.imobile


– receive data from Internet

– create accounts and set passwords


– use accounts on device

– set an alarm




Yes Bank

Link: ‘Yes Bank Site‘_


• Qualys SSL Labs: C

Site uses mixed content (http AND https).

Caution: TLS 1.2 / TLS 1.1 not offered; No server cipher order

Warning: Offers SSLv3; Accepts RC4; Forward secrecy not supported;

Chip and PIN

• Assumption: Chip and PIN cards offered;

Authentication



• Right click: disabled ;

• Copy Paste: :note_f: disabled ;

• Virtual Keyboard provided ;

• Allowed special symbols: !~^;:?=@#${}|[]_()*,-.

• Mandatory: One each of [ upper case| lower case| numbers and special symbols]

• Curiously, the virtual keyboard provides special symbols not contained in the above guideline ( % ‘ ‘ % / )

• The plus symbol is not allowed. Curious. :)


https://www.ssllabs.com/ssltest/analyze.html?d=netbanking.yesbank.co.in


Note: While pasting from clipboard into the password field is not allowed in the primary Internet Banking site, thepayment-gateway site DOES allow pasting passwords into the input box.

Mobile Application




– device status and history

• Identity


• Calendar

– read calendar events plus confidential information

– add or modify calendar events and send emails to guests without owners’ knowledge

• Contacts


• Location

– network based location

– GPS based location

• SMS


• Phone

– Directly call phone numbers

– read call log


– test access to protected storage


• Camera

– take pictures and videos





• Other

– run at startup

– control flashlight


https://play.google.com/store/apps/details?id=com.xxxxbank.mobile




– read Google service configuration


– connect and disconnect from WiFi


notes

• A : No Complaints ;

• B : Good, but could be better ;

• C/D : Bad. Medium risk. ;

• E/F : Worst. High risk practices.

Criteria

SSL/TLS Configuration

For the quality of configuration when it comes to TLS/SSL, I used Qualys SSL Labs SSL checks. I click on thenetbanking link for the respective banks and then when I see the login screen, I simply copied the domain.tld into theSSL labs check page and got the resultant rating and any warnings / errors.

Interestingly, during my experiments, I came across atleast one major bank site, that had requested that SSL Labs donot test their site. Seems like a big glass of security by obscurity. [#obscurenotsecure]_ Bruce Schneier also saysthis:

Smart security engineers open their systems to public scrutiny, because that’s how they improve. Thetruly awful engineers will not only hide their bad designs behind secrecy, but try to belittle any negativesecurity results. Get ready for Rapiscan to claim that the researchers had old software, and the newsoftware has fixed all these problems. Or that they’re only theoretical. Or that the researchers themselvesare the problem. We’ve seen it all before.

For those sites that Qualys won’t test, I used a neat SSL test script called testssl.sh3

I’m looking for insecure ciphers (MD5, RC4), vulnerable protocols (SSLv3) and similar poor security parameters inthe SSL certificates.

Protocols: Offered Ciphers: Attacks: Forward Secrecy: Weak signatures: (SHA1)

notes

• A : No Complaints ;

• B : Good, but could be better ;

• C/D : Bad. Medium risk. ;

• E/F : Worst. High risk practices.

3 https://github.com/drwetter/testssl.sh


https://github.com/drwetter/testssl.sh


Criteria

Authentication

I look at password strengths for user logins. Minimum length below 8 is a major fail and maximum lengths below 20is again a fail.Having a lax requirement for length of passwords encourages bad password discipline. People shouldbe allowed to think in terms of pass-phrases than pass’words’. For this reason, the minimum and maximum passwordlengths need be reasonable numbers.

Tip: Password Entrophy is a measure of how difficult it is to guess a user’s password under certain assumptions.If the entropy is high, then the password is difficult to guess. For passwords to have high entropy, they MUST NOThave identifiable information, dictionary words, sequences of alphabets & numbers or known patterns (like qwerty,abc123). So a password or a pass-phrase, rather should be sufficiently long, contain upper and lower case alphabets,numbers and special characters.

And passwords should be memorable ( like XKCD’s correcthorsebatterystaple or Ed. Snowden’s Margaret-Thatcherisa110%SEXY.) And one should never use the same password on more than one account. What the actualfuck?!

The best way to use unique, hard-to-guess, hard-to-bruteforce passwords is to use a Password Manager like KeePassX.Don’t take it from me, take it from the security experts5

Multi-Factor Authentication

Authentication is proving your identity to the bank website so that you are allowed access to your accont. You have tobe able to prove you are indeed who you claim you are. One way to do that is to use a username and a password thatyou and ONLY YOU know. Other ways of authentication exist, like using something that you have (like a registeredphone), something that you are (fingerprint, etc). You could significantly increase the security during authenticationby using multiple modes of authentication one after the other. You might, for instance be required to know a passwordAND input a 6 digit code that was sent to your registered phone. This is multi-factor authentication. It increasessecurity because theer’s a reduced chance that you accidentally revealed your password AND let your phone be stolenby the same person at the same time.

Some common ways of authentication are:

• Username / Password

• App on Smartphone based authentication

• SMS based one-time-password (OTP)

• Time / HMAC based OTP (HOTP or TOTP)

• Universal 2-Factor authentication hardware token (recent technology, highest security and sadly, zero adoptionin Indian banks)

Fortunately, most banks mandate the use of one-time-passwords, albeit mostly through SMS (frustratingly). I wishand hope that banks give users the option of using generated HMAC/Time OTPs and U2F.

Snake Oil

Okay, not quite. But still.. There are some weird practices that maybe bring a false sense of security with users. Hereare a few:

• Blocking right clicks on the page

• Blocking pasting from clipboards

• Virtual Keyboards

5 http://googleonlinesecurity.blogspot.in/2015/07/new-research-comparing-how-security.html


http://googleonlinesecurity.blogspot.in/2015/07/new-research-comparing-how-security.html


Blocking right clicks is just laughable. What do the security engineers think that does? Just an annoyance. Just silly.Blocking paste from clipboard would be funny as well if not for a serious problem. This practice discourages usersfrom using a password manager, which if you read the previous section, is very important a tool.

Virtual Keyboards do provide a little bit of resistance against keyloggers. Only a little though. If your operating systemis owned, you’re toast anyway. However, if you use a shitty, outdated browser, just upgrade it to a more decent version.Speaking of which..

Browser Recommendations

The browser and version recommendations from most banks are downright pathetic. I’d personally recommend thatthose banks that recommend IE6/7 be penalized heavily by the Reserve Bank of India. It’s just outrageous. One, thefact that a bank recommends IE6 means they are willing to not heed to the tons of security vulnerabilities that the usermight be exposed to. Two, the banks subtly coerce the customers into using a proprietary operating system. Theyshould instead by recommending standards compliant browsers.

Tip: If your bank recommends Adobe Acrobat Reader, Adobe / Macromedia Flash, or Microsoft Internet Explorer6/7, your bank people are a class-A ass-holes! You should send them a mail reminding them that they are ass-holes. Ifyou wanna be polite, you could use the word ‘morons’ instead. Do it. Now!!

A good browser recommendation would be any recent version of Firefox, Chrome, Internet Explorer, Opera, Safari orequivalent. Banks have no business recommending what Operating System you should or should not use. Ideally, theyshould make sure, their sites work on any Free Software browsers / OSes.

Browser Most recent stable versionMozilla Firefox 40.0Google Chrome 44.0Microsoft Internet Explorer 11Opera 31.0GNU IceCat 31.8

SSL/TLS Configuration

For the quality of configuration when it comes to TLS/SSL, I used Qualys SSL Labs SSL checks. I click on thenetbanking link for the respective banks and then when I see the login screen, I simply copied the domain.tld into theSSL labs check page and got the resultant rating and any warnings / errors.

Interestingly, during my experiments, I came across atleast one major bank site, that had requested that SSL Labs donot test their site. Seems like a big glass of security by obscurity.6 Bruce Schneier also says this:

Smart security engineers open their systems to public scrutiny, because that’s how they improve. Thetruly awful engineers will not only hide their bad designs behind secrecy, but try to belittle any negativesecurity results. Get ready for Rapiscan to claim that the researchers had old software, and the newsoftware has fixed all these problems. Or that they’re only theoretical. Or that the researchers themselvesare the problem. We’ve seen it all before.

For those sites that Qualys won’t test, I used a neat SSL test script called testssl.sh7

I’m looking for insecure ciphers (MD5, RC4), vulnerable protocols (SSLv3) and similar poor security parameters inthe SSL certificates.

Mobile Applications

Many banks have mobile applications that let users bank on the move. I look at the permissions the applications de-mand. In this document, I sample just Android applications. Most of the time, the rationale behind specific permissionsare never explained and the users give less than a shit.

6 https://www.schneier.com/crypto-gram/archives/2002/0515.html#17 https://github.com/drwetter/testssl.sh


https://www.schneier.com/crypto-gram/archives/2002/0515.html#1

https://github.com/drwetter/testssl.sh


But everyone would agree that a banking application need not have access to your camera and flashlight or yourcontacts and call history. It doesn’t take a genius to figure that such permissions are troublesome and the applicationshave the potential to infringe on users privacy or even become surveillance tools later on.

A bit of a stretch? Maybe. Improbable? Nope.


banking-security-india Documentation

Documents