Digital certificates were developed for a reason: to validate online environments and support legitimate commerce and transactions. Whether it is Transport Layer Security (TLS), or its older predecessor, Secure Sockets Layer (SSL), these protocols have become critical to sustaining security over networks, the internet, email, messaging, and even voice over IP (VoIP). Public Key Infrastructure (PKI), in which certificates play such a vital role, is the cornerstone of data protection, identity confirmation, online payment systems, trust, and even getting “found” through search engines, since they generally direct searches toward safer sites, namely those with properly configured and maintained PKI.
Thanks to the power of Remme Keyhub, we recognized that we had a tool that provided us with an opportunity to illuminate the state of practice and typical problem areas across many of the world’s key industries.
In a previous post, we focused on the global retail sector, where we looked at the top fifty most visited websites. There were some surprises for readers in terms of the large number of organizations we found with certificate problems – with some organizations having one in five of their certificates invalid! Large investments in security can be put at risk, and there are consequences for day-to-day business, too.
Data from the banking sector has encouraging characteristics but also aspects that are worrisome.
The shape of the problem
As has been well documented, the bad certificate problem has been a factor in a great many corporate hacks. It is practically a “welcome” sign for would-be attackers. Of course, certificate problems represent an obvious security risk but they also contribute to poor website performance, and sudden unexpected glitches that can interrupt transactions. Finally, of course, those problems need to be fixed. Whether it is staff time or a vendor or consultant, fixing something that shouldn’t have been “broken” in the first place wastes financial resources. Banking organizations are particularly at risk.
According to a recent Deloitte report, 2019 Banking and Capital Markets Outlook, the global banking system is both bigger and more profitable than it was in the wake of the 2008 recession and how holds total assets of some $124 trillion, up from some $96 trillion a decade ago.
With those vast sums as a target everyone from state-sponsored hackers (for example, from North Korea), to lone actors, like the individual who hacked her way into obtaining personally identifiable information on millions of CapitalOne customers (100 million in the US and 6 million in Canada, to be exact), are trying to find a way to get in.
There are many other tales of loss around the Globe. A recent report by SWIFT, the global financial transaction messaging service, noted that four out of every five of all fraudulent transactions were issued to beneficiary accounts in East and South East Asia, and while about 70 percent of attempted thefts were USD-based – hacks involving European currencies have been on the increase.
And, according to the most recent Verizon Data Breach Investigation Report, 2018 saw 598 incidents, 146 with confirmed data disclosure across both financial and insurance industries. The Verizon researchers said there were another 40,000 attacks on web application authentication mechanisms driven by banking Trojan botnets.
Finally, according to an industry sources, the stakes are especially high in the banking and financial industry since the customer relationship is largely based on trust. Poor performance because of certificate problems can call those feelings of trust into question. Furthermore, industry sources consistently peg the cost of outages for large global organizations at as much as $300,000 per hour. And the cost to repair significant outages is even higher on a per-hour basis.
The top 50: overview for banking
With the help of Keyhub we’ve examined public domains of top 50 websites in banking with over 19,500 subdomains. Among them there are over 7,000 subdomains for user services with more than 4000 certificates and 6.6 % of them expired.
Here is what we’ve found.
- 4,337 certificates discovered
- 128 CAs
- 70 SHA1 certificates
- 13 with weak keys
- 287 certificates expired
- 106 close to expiration certs
As is well known, the legacy SHA1 type is no longer considered adequate technology. In fact, Microsoft announced a decision to deprecate the use of SHA1 and to replace it by SHA256. That means Microsoft products no longer recognize SHA1 and its use will lead to security alerts.
While the vast majority of banking organizations used only one host, a few used between 11 and 50. Likewise, while nearly all of the keys discovered with Keyhub (more than 4200) were RSA 2048, generally considered to be a standard, a handful – 61 – of the stronger RSA 4096 keys were in use. Eight examples of ECC 256, a robust alternative but one that some suggest could be slower due to being more compute-intensive, were also found.
Similarly, when it comes to the use of a signature hash algorithm, there was great uniformity in use as revealed by Keyhub. Nearly all institutions were using SHA256RSA. One organization had adopted SHA256ECDSA. Of course, the strength of the hash algorithm used to sign a digital certificate makes all the difference. A weakness in a hash algorithm can allow attackers to get fraudulent certificates. In this area, banks got high marks.
The Top 10: Digging into the subdomains
The overall average number of subdomains across the top 10 was 683! Among the top 10 banks, only three had fewer than 100 subdomains. One had more than 2,000 (with only two expired certificates) and another nearly 3,000, with 62 expired – nearly 7.5 percent. Only two of the top 10 had no expired certificates. The “worst” was an institution with 16.7 percent of its certificates expired. Another had 12.5 percent expired. The large number of domains and the high rate of expired certificates among the top 10 institutions illustrates the need for deep scans to detect and monitor all certifications.
Needless to say, we salute the positive steps taken by many in banking to stay secure and handle certificate issues in a timely manner. For those with sub-par practices, we encourage them to take the right steps to update and protect their certificates and their domains and subdomains. Automation can find and identify certificates associated with your domains and subdomains (often certificates that the organization has forgotten about!). And weak, expired, and missing certificates can be eliminated – improving efficiency and boosting security.
Keyhub’s mission is to make people understand the vital role played by certificates as well as the practices and tools that can help with organizing and maintaining certificates. Create your free Keyhub account to find certificates in less than 5 minutes!