Every year the consumer organisation Which? undertakes in-depth testing on the cybersecurity posture of the UKs leading banks. From established high street names to new online-only services, the report aims to give consumers a clear picture on how seriously these companies take their cybersecurity.
Hexiosec have provided Which? with technical cyber security expertise on a variety of reports and tests over the years, so we were more than happy to conduct the testing for this article; and of course, much of the online discovery and analysis work was automated using our own attack surface scanning platform Hexiosec ASM.
In this blog we will detail how we conducted the testing and what was included. For the complete report be sure to read it in full on the Which? website.
What was the goal of the testing?
The goal of this testing was to examine the state of the UK banking sector’s cybersecurity; with cyber-attacks becoming ever more common, it is essential these organisations take threats seriously. Which? conduct this test annually to help them identify those doing well and those that need some work.
How were the test criteria defined?
It is key to stress here that this is not a penetration test (or pen test). As we didn’t have permission to carry out these tests, the tools and techniques we used had to be passive, and we could only look at public sites and assets.
Importantly, what Which? try to do with all tests is make them repeatable and up to date, so we first worked with them to update the testing process for this year.
What was tested?
To ensure we got a clear picture of the cybersecurity effectiveness of the banks, we tested the following areas:
- Mobile Application - We didn’t have login credentials for all the banks, so our testing was limited to what we could achieve without these details. However, we were able to test how the app protected itself whilst under attack, and what information it was communicating to the outside world. The update history was also used to analyse how often updates or security patches were being pushed to the application.
- Website - Using our own tool, Hexiosec ASM, we were able to scan the websites and public assets of all the organisations testing for such things as any sensitive ports and services, for out-of-date components in web applications, TLS misconfiguration or expired certificates.
- Email configuration - Using Hexiosec ASM, we also tested the SPF, DKIM and DMARC settings and configurations of the main sending domains for each bank.
How were the scores worked out?
Before testing began, we helped Which? update the scores and weightings of each set of issues. This allowed us to give more impactful scores to things that could affect a consumer or be a potential security concern. For example, we still included issues like UI bugs within the scoring, but this was given less weighting to ensure it didn’t skew the results disproportionately.
How long did it take?
From start to finish the project took four weeks to complete. Although much of the testing is automated, any bad results still had to be manually investigated to ensure all the details were as accurate as possible.
For example, the sheer quantity of permissions used by the array of banks meant even with scripting we had to manually check thousands of records.
What tools did you use?
Naturally, we used Hexiosec ASM – an attack surface management tool designed and built by us. It was the ideal tool for this research as we were able to gather vast amounts of data about each bank quickly, all laid out in a single data package making it easy to identify the most critical issues. The passive nature of Hexiosec ASM means it won’t harm or damage a tested website in any way.
What were the challenges faced?
The scale of the banks’ online infrastructure meant that the sheer quantity of issues found was staggering; for example, one bank had over five thousand subdomains. Although all issues found should be considered a problem, those that pose a “Low” or “Medium” risk were filtered out in the results, so we were able to concentrate on only those considered “High” or “Critical” saving a lot of time.
How to stay safe banking online?
Obviously, all the banks in the UK take cyber security very seriously, and there are rarely any terrible issues to be found, but some are definitely better than others. Here are our top tips on staying safe when banking online:
- Keep your phone up to date; ensure you have the latest security patches/updates installed.
- Keep the application up to date; although the frequency of updates varies by bank it is essential you have the auto updates enabled. Generally, the newer versions of an app will provide enhanced security (this is generally, and not always the case!).
- Use biometrics; If your phone supports this method of logging in to your online banking then utilise it. Adding this additional layer of security is really easy and offers fantastic protection.
- Turn off SMS previews; A more extreme case but the preview line of text messages and notifications can give out valuable information. Ensure your preview line is turned off by default.
- Keep your browser updated; In 2022 there were a host of zero-day vulnerabilities leveraged against out-of-date browsers. Ensure you have the latest version of your browser installed, and auto updates are on.
- Use ad blockers; Malvertising incidents are on the rise with malicious adverts finding a way on to the Google ad network, use ad blockers to limit your exposure to them.
- Don’t use public Wi-Fi; This one should go without saying but where possible do not use public Wi-Fi when doing your online banking. If you have no other choice, ensure you are doing so over a VPN from an established and trusted provider (Nord VPN, Surfshark, Express VPN etc).