Major banks are still open to POODLE attacks months after being called out as vulnerable.
The POODLE (Padding Oracle On Downgraded Legacy Encryption) security flaw surfaced October and affects the Secure Sockets Layer (SSL) 3.0 algorithm and versions of TLS (Transport Layer Security).
Ivan Ristic's SSL Labs site revealed at the time scores of banks affected by POODLE including Australia's NAB and Westpac,plus globally RBS, HSBC, Barclays, and Tesco Bank to name a few.
Ristic's site reveals security issues persist with many of the banks, mostly relating to support of weak TLS protocols and crappy ciphers. Halifax and Barclays however are still reported as vulnerable to the original SSL 3.0 POODLE attack, while Tesco has been slapped with a Fail security score for still being open to TLS POODLE.
The antipodean National Australia Bank had, after a Vulture South inquiry last month, still not patched against the POODLE vulnerabilities, Samuel says.
The bank did not comment after El Reg on 28 March sent news of its continued exposure along with additional security gaffes dug up by Melbourne crypto bod Michael Samuel.
Samuel (@mik235) says the bank has since fixed the POODLE vulnerability and notes it has also placed a request to SSL Labs that its infrastructure be off-limits to future security scans.
"It is vulnerable to POODLE over TLSv1 which is actually a bug that is most commonly found in a particular hardware vendor that's used by F5, Cisco, and others," Samuel says.
"Perhaps they should have used the time they spent asking SSL Labs to stop scanning them to actually use the site and fix their config."
Additional scan data in March indicated NAB had not updated its F5 box since August 2014 and was as a result vulnerable to TLS POODLE, or TLS 1.x padding vulnerability in F5 lingo.
"POODLE for TLSv1 means it is possible to steal sessions, and an advanced attacker could make off with some transactions or account details," Samuel says, noting that stealing money would require further attacks.
He says the un-patched F5 software is the most concerning aspect as it exposes services to known vulnerabilities.
Samuel pointed out in details sent to the bank that it did not use HTTP Strict Transport Security, a gaffe he says was "just crazy for a bank" adding that it should be on HSTS preload lists.
"This is critical for a bank [and is] such an easy security win," he says.
The mechanism would prevent attacks including SSLstrip and "ridiculous" gaffes like accidental submission of confidential data over http, which occurred when Samuel applied for a NAB credit card. ®