Fifty per cent of UK high street financial institutions utilise weak SSL certificates on their secure authentication portals, according to a new study by Xiphos Research.
An assessment of 84 UK- and foreign-owned banking institutions in November by the international information security firm, and published on Monday, found that more than half were running SSL certificates that may expose their customers data to unwarranted risk.
More ReadingNearly 1 in 5 health data breaches take years to spot, says VerizonUK joins US financial institutions for industry resilience testsSage Pay anti-POODLE upgrade REDUCED security - brieflyUK banks ill-prepared for return of the rabid POODLEMan bites dog: HTTPS-menacing POODLE is 'hard to exploit' – unless you're on public Wi-Fi
Problems identified included certificate instances that may be vulnerable to well-documented attacks, such as CRIME and POODLE, as well as other crypto flaws.
Xiphos is not naming the affected organisations but its findings are nonetheless credible because individual instances of banks failing to update sites in the weeks after serious crypto flaws (such as POODLE) are well known.
The security consultancy may not have been able to contact many of the impacted organisations, a factor that led it to avoiding naming names.
In cases where it couldn’t contact organisations directly it passed on its findings via the Financial Conduct Authority and NCA (National Crime Agency). ®