Seriously, banks? Obvious website security issues at major US banks

Of all the websites you visit you probably assume your bank’s is setting the security bar. Well…

Google publicly announced last year they would begin sunsetting SHA-1 support in Google Chrome, the green lock icon you’d expect to see on your bank’s website might start turning white, orange, or red depending on how out of date their security is.

Back in 2011 the CAB forum, an industry group of leading web browsers and certificate authorities working together to establish basic security requirements for SSL certificates, recommended that websites should start using SHA-2. In fact, the government published deprecation plans in 2011 to take effect in 2014: “SHA-1 shall not be used for digital signature generation after December 31, 2013.”

Insecure httpsSo you’d expect your bank to be privy to this information and waiting with bated breath to upgrade their security as soon as available. Unfortunately, the login form of all of these major banks fall short of very clear expectations:

  • bankofamerica.com
  • capitalone.com
  • ally.com
  • wellsfargo.com
  • usbank.com
  • citibank.com
  • hsbc.com

Google even warns users that, “The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it,” and, “Your connection to XYZ is encrypted with obsolete cryptography.”

This doesn’t mean they’re inherently insecure. Banks do have many layers of security and are held to a higher regulatory standard (in the US at least). But this is low hanging fruit, easy to implement, and is a public declaration of a commitment to security.

More reading