Another year, another batch of security issues at Santander.

TL;DR - Don't bank online with Santander.  Don't send payments to any company which uses Santander as a payment gateway.

Today, we'll be looking at three areas of concern.

1. BillPay; the website allowing business and personal customers to make online payments.
2. Mobile Banking; both personal & business accounts at risk.
3. Security audits, or lack thereof.

Let's dive in.

BillPay

BillPay is designed, built and maintained by Headland for the Santander Group of companies. Headland describe it as "an excellent example of a flexible and secure payment facility".

Now, I've blogged about Santander before... so I set my expectations pretty low from the outset. Headland have appeared on the radar a few times too; associated with other sites which do not handle data safely. Think MachineMart, SnowDome (Tamworth) and Alton Towers.

Before entering any card details, I ran the site through a Qualys test.

1

Hmm.  That's a good start!

What's insecure renegotiation?

If a server is vulnerable to insecure renegotiation, it's possible to carry out a MiTM or Man-In-The-Middle attack; allowing a hacker to inject arbitrary content into encrypted data.

How about the certificates... they're installed correctly, right?

2

Now I'm worried!  If you can't install an SSL certificate correctly, you really shouldn't be looking after a payment gateway.

Hang on... surely that means a mobile device will throw a warning?

Screenshot_2013-12-09-23-33-27

Yep!  It's a good job the native Android browser checks certificates properly.

3

Where do we start with this lot?

We've already ascertained it supports insecure renegotiation, but here we can see it doesn't support secure renegotiation.  To add insult to injury, it doesn't support forward secrecy or session resumption and is intolerant to long handshakes, risky when it's only visible to browsers with SNI support.

Password Storage

Choosing a secure password is absolutely vital to ensure your account remains secure.  Santander give the following advice...

14

Superb!  However, it's equally important to store the chosen password securely too.

13

Red flag!

Why is there a maximum length of 50 chars?  If Santander were hashing passwords correctly, there's absolutely no reason to restrict the amount of characters here.  In light of recent mega-hacks... 152 million accounts stolen from Adobe, 850,000 from Stratfor, 453,000 from Yahoo and over 37,000 from Sony... surely Santander store passwords securely?

I tried to run a password reset.  Please note: "reset" - widely regarded as the safest method of account recovery today.  Instead, Santander offered to "remind" me.  If they email my password to me, I may cry.

12

VmjgAWC

For this alone, I'd run a mile from any Santander / Headland product.

Catch 22 - BEAST vs RC4.

On the TLSv1 protocol, developers face a tricky problem which cannot be entirely resolved.  You see, both BEAST and RC4 present a risk... and until recently, developers considered RC4 to be the lesser of two evils.  Things have changed significantly however.  New exploits have proven RC4 to be considerably weaker than we first thought... and updates to modern browsers render the risk from BEAST almost irrelevant.

As such, BEAST is now the lesser of two evils.  Santander/Headland however, haven't moved with the times.

PCI Compliance - Who needs it?

As a corporate bank, you'd be forgiven for thinking the site would be payment card industry compliant... wouldn't you?  Nope.

Cross Site Scripting - The thorn in Santander's side.

4

No, that's not the wrong image...

It's the HMRC payment gateway, hosted under Santander's BillPay website.  As you can see, it's possible to inject arbitrary content here too.  I've added the OWASP image purely to prove it's possible... but there's nothing stopping an attacker inserting a fake payment form, or indeed modifying the official one.

Secure? Pull the other one.

So, I raised it with Santander straight away.

5

The call which followed was bizarre to say the least.  The responses ranged from the perfunctory "we use SSL" to "Call Halifax, it's their problem" and "That site is owned by HMRC, call them".  I lost count how often I said I hadn't actually entered my Halifax card details yet, but still she continued to blame them.

Turns out, Santander gave me the wrong number!  After much searching and many phone calls, I finally end up in the hands of Craig McDougall; a technical analyst at GeoBan UK, part of the Santander Group.  He forwarded my comments to Headland and after a couple of weeks, I receive an email.

6

Great!  I've checked the site since and although the XSS exploits have been patched, the SSL issues have not.

Check it yourself here: http://ssllabs.com/ssltest/analyze.html?d=santanderbillpayment.co.uk

By this point, I'm ready to chalk it up as another sorry Santander episode... but something appeared in my Twitter timeline which got me wondering...

Mobile Applications

7

Sounds great! A mobile app for both personal and business customers offering...

8

If "it's as secure as online banking", we're in trouble.  Let's take a closer look.

2013-12-09 23.14.34

I've installed both the personal and business banking apps... so let's fire up the personal version first.

Before I enter a fake User ID, I started Fiddler and routed HTTPS (ya know, that secure traffic that nobody can intercept!) through the proxy; essentially performing a MiTM attack on myself.

2013-12-09 23.19.37

The result?

9

Wonderful.  My User ID (and subsequently the password, if I went further) have just been intercepted.

How is that possible?

When you route traffic through Fiddler, it creates a fake SSL certificate which a secure browser/application should easily detect.  Remember the warning we had earlier when trying to load the other site?  We should see something similar here.  After all, the fake SSL certificate means someone could be watching everything we type.  A "secure" application would throw a warning or simply refuse to connect.  Santander's "secure" mobile app however... assumes everything is safe and carries on regardless.

How does that apply in a real-world environment?

The common misconception here is an attacker would need access to your internal network for this exploit to work, but that simply isn't true.

A secure SSL implementation requires minimally two things... strong encryption and crucially, authentication.  The encryption ensures the data cannot easily be decrypted without the key... but authentication ensures you're sharing the data with the correct party to begin with.

You'd never dream of giving your bank details to a random caller, purporting to be Santander... but that's exactly how this application operates!  So if anyone in your network, internal or external (ISP, proxy, DNS et al) tells the app "hey, I'm Santander... send me the data instead", you're screwed.

What about the business banking app, is that safe?

Long story short, no.

10

As you can see, now we're talking to bb.santander.co.uk instead of m.santander.co.uk.

Unfortunately, it still doesn't check the certificate's validity and similarly, any data entered into the app can be intercepted & read by anyone.

Security Audits

Santander first appeared on my radar back in 2010 - with both XSS and SQLi issues which they eventually fixed.  Since then, they've appeared at least once a year with a variety of dodgy security practices; all of which beg the question...

How useful/frequent are their security audits?

OK.  Cards on the table... I've probably spent a good hour on this and I've barely scraped the surface.  No automated tools, just basic manual checks which it failed miserably.  If Santander have missed the basics, what else have they missed?  Let's not forget, they provide a payment gateway for several high-profile web sites.

HMRC, Tiscali, E.ON, nPower, several council offices, Severn Trent Water... that's just a few.  A full list is here: https://www.santanderbillpayment.co.uk/scripts/who.asp

Presumably the task of processing payments went out to tender for many of these firms... was an audit carried out to make sure it was safe, and if so, by whom?

What really concerns me is both Headland & Santander consider this to be "resolved".

Summary

If you can, avoid Santander like the plague.  It's poorly designed, insufficiently tested and vulnerable to a wide variety of exploits.  If you come across a site connected with Headland in any way, tread very carefully.

Remember to +1, Like or Tweet. Thanks!

  • Pingback: Santander Banking Apps Shored Up Against Serious Vulnerabilities | RobertJGraham.com

  • Pingback: Santander Banking Apps Shored Up Against Serious Vulnerabilities « Cyber Security Aid

  • Pingback: Santander Banking Apps Shored Up Against Serious Vulnerabilities | IT Security

  • Pingback: Mobile Security Unfiltered » Santander Banking Apps Shored Up Against Serious Vulnerabilities

  • ID Theft Protect

    Your analysis isn’t shocking to those of us who conduct security audits. We’ve noted poor implementation of SSL/AES in many instances (both mobile and Web). Most believe attacks are PoC and can only happen if the attacker is on the same network.

    • Paul @ Rambling Rant

      Hi Julian, thanks for your reply.

      I wholeheartedly agree with you. This is a common scenario, sadly… but I still think we have the right to expect (or demand) better from our financial institutions.

      Just curious, what do you do at ID Theft Protect?

  • Pingback: Santander BillPay Security Vulnerabilities Patched | Threatpost | The First Stop For Security News

  • Mohit

    Certificate and protocol analysis screenshots are from which app?

    • Paul @ Rambling Rant

      Fiddler… it’s in the article :)

      • Mohit

        Oh! I am sorry :P

  • Chris

    Hi Paul,

    My wife just signed us up for a Santander 123 account and tonight pulled me over to the laptop asking about a certificate warning when she tried to logon to the online banking for the first time. It was Chrome warning that the site certificate had expired. I thought something must be wrong and told her not to proceed, I made sure Chrome was the latest version and looked at the certificate info, it does appear the certificate is genuinely expired and in-use for personal banking! I found your blog whilst trying to determine if it was just us or not.

    The address we get redirected to when trying to login to personal banking (via https://retail.santander.co.uk/LOGSUK_NS_ENS/ChannelDriver.ssobto?dse_operationName=LOGON) is https://myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=prepare&personalID=12345678 (I changed the ID of course, but the same certificate applies)

    Really? It appears to have expired Feb 2013! Surely this can’t be true, this certificate can’t be expired for nearly a year and still in use. Can you check, is it just us?

    We’re thinking of cancelling the account if this is the kind of security they have, we never had this kind of fundamental problem with HSBC or Barclay’s (both of which sent us physical handshake tools for logon which seems like a good idea).

    Thanks,

    Chris

    • Paul @ Rambling Rant

      Hi Chris

      I can confirm, it’s not just you. It looks like a faulty redirect though… I don’t think they use that domain now. I could be wrong though.

      In any event, if it’s public-facing, it should be valid & secure. An expired certificate gives entirely the wrong impression; or right impression depending on your view point.

      This isn’t the first time I’ve blogged about serious issues at Santander and I doubt it’ll be the last.

      Saying that though, I’ve had a few issues with Barclays too. A couple of XSS bugs, the “PingIt” mobile app (which is still vulnerable today) and no doubt others. They did address the XSS issue fairly quickly, but they were so obnoxious during the disclosure, I decided not to share the PingIt proof of concept. I was a Barclays customer too at the time.

      There was a serious exploit with HSBC too, many years ago. The difference there was the response – prompt, efficient and bang on the money (pardon the pun). I can’t comment on them today, but if they handle all issues in a similar manner, I would be fairly confident using their services.

      Choosing a “secure” bank (both financially and online) is a lesser of many evils though. These types of issues could happen to any bank, or site saying that. What matters to me is their response, both timescale & level of competency. Santander are, well… I wouldn’t deal with them if they were the last remaining bank.

      I spent some time a few months ago going through every available account. To my utter astonishment, Tesco came out on top in my (admittedly) vanilla testing. That’s not because Tesco were great, but the rest were significantly worse.

      The PinSentry (and similar) machines are pretty good, but they can be beaten. It is another obstacle though, which can’t be a bad thing.

      If you do cancel, make damn sure they understand exactly why you’re leaving. If they start to lose significant amounts of business over this type of negligence, they’ll hopefully make improvements.

      Good luck, let me know how it works out.

      Paul.

      • Chris

        Hi Paul,

        Thanks for checking and the info on other banks, trying to login just now I now get a different error from Chrome:

        “Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don’t have.

        Error code: ERR_SSL_PROTOCOL_ERROR”

        Coincidence that we just had this discussion? Hmmm…

        I also thought the “abbeynational.co.uk” address was a bit strange but given Santander bought them maybe not (although they did rename 4 years ago now)? Incidentally I also notice that on the logon page the link to “Credit Cards” at the bottom points to https://myonlineaccounts3.abbeynational.co.uk/ which doesn’t work at all (ugh!)

        Chris

      • Chris

        Also good to see the link I posted had a spurious character in it which cases a “JSP Processing Error” and stack trace, looks like anything wrong in the address does the same to the site e.g. https://retail.santander.co.uk/LOGSUK_NS_ENS/ChannelDriver.ssobto?dse_operationName=LOGON_INVALID changing the “operationName” parameter to have “_INVALID” in this case, but anything other than “LOGON” causes it to explode in the same way, surely some error handling wouldn’t go a miss.

  • Ian

    Unfortunately, it seems these updates may have come too late. This morning I received a scam email addressed to alliance-leicester@mydomain.com. This address was created specifically for signing up to an Alliance and Leicester account and has not been used since. The email also contained my surname. The only way the scammers could have obtained this email address is by some kind of breach of Santander’s system. It also appears I am not the only one:

    https://www.facebook.com/santanderuk/posts/565661770191098

    https://www.facebook.com/santanderuk/posts/565054290251846

    https://www.facebook.com/santanderuk/posts/564594726964469

    I find it amazing that a bank can have such poor security. Plain text passwords – that’s unbelievable!

    Ian

  • Mike

    Interesting article. I found it because I wanted to pay a bill online and wondered if Santander had fixed the plaintext password storage. I guess I won’t bother using their site. I thought you’d be interested to know that I emailed Headland in May 2012 regarding plaintext password storage. I was promised by Graeme Wilson (a Director), Ken Heptonstall (their Director and founder), and Craig Pickles (technical director) that somebody would get back to me with a response, but they never did. It’s absolutely astounding that it’s taken this long for anything to be done.