“I want you to build a website and I want it super secure – I’m talking bank grade security here!”
Wow, “bank grade”, this is pretty serious stuff right? I mean the implied intent here is to create something that can be the shining beacon of good security because that’s what “bank grade” means, right?
This had me curious the other day – do banks really deliver on the promise of the high levels of security the term implies? Now banks are complex beasts and you can’t exactly fairly and equitably assess them in a holistic fashion, certainly not from an external perspective. I decided to focus instead just on the SSL implementation of their banking portals so earlier this week I wrote up Do you really want “bank grade” security in your SSL? which focused solely on the big banks Down Under.
The results were worrying. Using Qualys’ excellent SSL Server Test tool, of the 21 banks I checked only 2 scored an “A” grade. To me, that would be the minimum bar for “bank grade” and I’d really like to see them with the maximum “A+” grade. 12 of them were given “B” grades and 3 even scored an “F” which is staggering for a bank.
It was only after I wrote this post though that the penny dropped on just how poor actual “bank grade” security often is. A few years ago I’d written up the Who’s who of bad password practices and unfortunately, banks featured heavily. Restrictive limitations on password complexity was one of the main problems but the bigger one (and one that still prevails with many banks today) was the requirement to use a PIN to authenticate. That’s right, it means logging into your bank with a password as strong as the one you use on that dinky little padlock you put on your suitcase to stop casual thieves from having a looking inside.
And then I thought back to another post from only 6 months ago on This is your bank, please verify your details. Here I had a bank – my bank – calling me up and asking me for personal information without providing any verification of their identity whatsoever. You’ll be familiar with this approach, it’s exactly the same angle used by all those phishing emails that land in your inbox each week! In fact this is the very practice your bank warns you about then proceeds to mimic in their own communications.
Now granted, banks have many mitigating factors and sophisticated fraud detection measures that go well beyond just the surface veneer of what’s been discussed here. But it’s a poor message to send when the banks themselves choose to implement so many security anti-patterns in their everyday communications.
So the next time someone talks about “bank grade” security, do double check with them: “Do you mean weakly implemented SSL with bad password requirements and a communication strategy that reeks of a phishing attack?”