SSL status of Taiwanese banks: a sad affair

Today there was a story on Hacker News, how someone tweeting a screenshot of a bank’s SSL certificate got harassed by the bank in Greece. This got me thinking about the status of the banks here in Taiwan, especially how this place is so wired and online now. So I took a list of taiwanese banks and run each of their sites through the SSL Test. From past experiences I haven’t had my hopes up, but boy is the result ugly…

SSLTest_F
The usual result of this exercise

SSL Test Overview

I had a list of 43 banks, and for a quick overview I took into account a few key features only. The first is whether there are any active vulnerabilities against the site according to the test (these were mostly CRIME, FREAK, and POODLE attacks). The second is whether RC4 encryption was enabled, as it is now prohibited, and having it on is an automatic Payment Card Industry Data Security (PCI) compliance failure, according to one of the commenters. Other various warnings are mentioned when something really stands out, they are not crucial but more nice to have (though I’d contend that Forward Secrecy and HTTP Strict Transport Security is more than “nice” for anything financial).

Edit: Since publishing this post, there’s a brand new password recovery attack against RC4, so it’s even more urgent to switch it off.

Test Outcome

The only A rating was for Deutsche Bank, which uses its global site for all regional sections too, so not that surprising that it was better than average. The rest of it in a nutshell:

  • 22 out 43 banks (51%) got an F,
  • 2 of them did not have SSL (though no online banking either, fortunately),
  • 1 SSL enabled site couldn’t be tested somehow, possibly because of redirections
  • Only 4 of them (9%) disabled RC4, the rest of it (91%) is vulnerable to password recovery attacks,
  • 24 of them (56%) are vulnerable to common attacks, 5 (11%) to multiple different attacks (besides RC4), POODLE being the most common
  • There was one site where the general corporate website’s HTTPS was better configured (B) than the e-banking (F)…
  • Handling redirects and subdomains is generally very confusing for banks
  • Most banks have multiple subdomains for different services (“bank site”, “e-banking”, and “web ATM” are the three most common)
  • Of the 4 banks I have account at, there’s one B and three F-rated (not naming names)

The raw overall data and test links follow (with an outlook afterwards). Usually I’ve linked to the e-bank pages of banks, unless I couldn’t see it or was the same domain as their corporate site.

Update (2015-03-19): Some banks started to fix their systems, noticed changes will be added to the bottom of this post!

Update (2015-03-25): Instead of keeping up with the changes manually, made a page for automatic status tests. It’s still in development but you can check it here: Taiwan Financial Institutes SSL Tests.

Taiwanese Bank SSL Test Results

Data as of 2015-03-24
BankSSL Test ResultRC4 blockedAttacksComments
Agricultural Bank of TaiwanXn/an/aCan't run test due to redirect settings (?)
ANZ TaiwanF (main),
B (was F) (credit card)
XPOODLE, MitMFor the credit card management it's RC4, but otherwise good
Bank of AmericaBY-No e-banking
Bank of East AsiaXn/an/aNo SSL version of site
Bank of KaohsiungFXPOODLE
Bank of PanshinFXPOODLE
Bank of TaipeiFXFREAK
Bank of TaiwanA- (was F)Y-
Bank SinoPacCXPOODLE
Cathay United BankFXPOODLE
Chang Hwa BankFXFREAK, POODLE
China Development Industrial BankBX-HTTPS page tries to load unsafe scripts
Chinatrust Commercial BankB (was F)X-
Chunghwa Post (Post Office)FXPOODLE
Citibank TaiwanBX-
Cosmos Bank (KGI)BX-
COTA Commercial BankBX-
DBS TaiwanCYPOODLE
Deutsche BankAY-Only warning is not using SHA2
E.Sun BankFXPOODLE
EnTie BankBX-
Far Eastern International BankFXPOODLE
First BankB (corp),
F (ibank),
F (ebank)
XPOODLEebanking settings are weaker than general corporate sites?
Fubon FinancialBX-
HSBC TaiwanBX-No secure renegotiation, SSL3
Hua Nan BankFXPOODLE
Hwatai BankFXPOODLE
JihSun BankFXPOODLE
King's Town BankF (e-ATM),
F (e-bank)
XCRIME, FREAK, POODLE, Diffie-Hellmanthe horror...
Land Bank of TaiwanCX-
Mega International Commercial BankA-Y-
MetrobankXn/ano SSL
Shanghai Commercial and Savings BankBX-
Shin Kong BankFXPOODLE
Standard CharteredBY-
Sunny BankFXFREAK, POODLE, Diffie-Hellman
Taichung BankFXPOODLE
Taishin International BankBX-
Taiwan Business BankFXPOODLE
Taiwan Cooperative BankBX-
TC BankFXPOODLE
Union Bank of TaiwanFXFREAK, POODLE
Yuanta BankBX-
National Credit Card CenterBX-they should definitely do better
Financial Information Service (FISC)A-Y-

What’s next?

Financial fraud in Taiwan is pretty prevalent, though it’s usually the “old fashioned” phone scam type. On the other hand, people here seem to be very lucrative target of groups based in China and Philippines. While I don’t know about the latter, the former likely has black hat teams with a lot more computer savvy than most users here (or anywhere else). It would be very-very good to fix up these systems.

Since these banks don’t seem to be on Twitter in general (except maybe the international ones), would be good to look up the local tech contacts, and bring the problem to their attention. One thing that makes me optimistic about it on the long term, is that Taiwan has a lot of computer savvy and outspoken activists. Will try to reach out to them, and use the local talent (and local ways) to approach this. Also, local administration (ie. city government) seems to be more powerful here, and we have a quite techy and driven new mayor in Taipei city. Putting pressure on the banks through them is not inconceivable.

I like it a lot where technology is going over here (many days I feel like being in a science fiction), and hope to make it work out well by keeping an eye on the practical implementations such as this.

If you find any problems in the dataset above (or any updates as sites are fixed:), please let me know!

Updates

  • 2015-03-19: Chinatrust fixed their POODLE vulnerability, improving their score from F to B! Hope they’ll fix RC4 next.
  • 2015-03-19: Bank of Taiwan went from F to A-, the first Taiwan-based bank to achieve an A!
  • 2015-03-23: The ANZ Credit Card site went from F to B as well, which is pretty good, even if their corporate site remains F.
  • 2015-03-24: Mega Bank went from B to A- by disabling RC4.
  • Franta

    Psst, do not tell anyone – I am much safer using bitcoin blockchain.

    • That’s a different conversation :)

      Being networked from the get-go, bitcoin tech is generally much more security-conscious, and the level of conversation is much higher. The questions are different (eg “these are the sites that do not have 2FA, shame!”), but there will always be questions, rightfully.

      Think of this as one more way of showing the inadequacy and unpreparedness of the current system, that I am unfortunately forced to use.

  • V字龍(Vdragon)

    Glad with the compliment of the “new mayor” :-), good luck!

  • S

    You should not use the bank who does such awful job at handling security. Let me repeat: YOU SHOULD NOT USE THE BANK THAT FAILS AT SECURITY. And whoever is responsible for this should be fired on the spot.

    The most funny part is, they have hundreds of people in their IT departments with silly security rules, yet failing at this point.
    [I work with banks.]

  • redbean

    The SSL Test Result maybe need to update. ex.Chinatrust Commercial Bank, Bank of Taiwan,

    • Great news, thanks a lot, I’v updated the post! :)

  • rhatoon

    Why did you skip the two major interbank organization, NCCC and FISC. They play a major role and have very weak security control.

    • Originally because I didn’t think of them (since I never use them directly). But the NCCC was added to the list a while ago. Will add FISC too. Thanks!

  • Krebs

    Hi, the SSL Test Result may need to be updated for DBS Bank. Thanks.

    • Hi, yes, I’ve seen that, great that they’ve improved! As mentioned in the post, I stopped updating this table, the current results will be continuously at https://gergely.imreh.net/twbankssl/ (it’s automatically scanned and updated table)

  • twraymn
  • Pingback: Taiwan Bank SSL Continuous Monitoring - ClickedyClick()

  • Pingback: Taiwan Citizen Digital Certificate - ClickedyClick()