How secure are SA's banks, networks and online shops?

I think equally important is if companies carry EV (Extended Verification) certificates and have frequent vulnerability and malware scans (not that it would have helped with Heartbleed). Also you will find that some of the mentioned sites will have mixed-content warnings on SSL content pages which is similarly worrying (i.e. developers embedding non-secure content).
 
Sadly, they block (most) international access to their site, so it isn't possible to test them with these online tools.
SANRAL:
I just ran a HeartBleed scan ( https://filippo.io/Heartbleed/ ) against www.sanral.co.za, by letting it tunnel via my home ADSL and they're not vulnerable now and they possibly weren't vulnerable before either seeing that their certificate is more than 2years old.

At https://www.ssllabs.com/ssltest/ SANRAL scored pretty well (probably a B):
Protocol Support: 70
* SSL 3 + TLS 1.0
* No Forward Secrecy
* Microsoft-IIS/7.5 server signature
Key Exchange: 90
Cipher Strength: 90
Certificate: N/A, because I'm tunneling SSL via my home ADSL

ABSA:
I'm not sure what to make of ABSA's website with regards to the HeartBleed test, but I'm fairly sure that they're not vulnerable.

The quick & dirty test is to check when their certificate was last updated. ABSA's certificate would have to be updated within the next few days due to normal expiry...

The majority of our banks probably use dedicated hardware security modules to offload SSL, so the odds of them being vulnerable are pretty low. Also the EV tests/scans against them should force them to always be up to date with the latest security bugfixes.
 
Last edited:
Sadly, they block (most) international access to their site, so it isn't possible to test them with these online tools.

It could be said that blocking international access is an added security enhancement
 
Worry that standardbank is so poorly rated. Surely after this report, the crooks will be focusing on that one site...
 
Worry that standardbank is so poorly rated. Surely after this report, the crooks will be focusing on that one site...
I've tested their site just now (21:00) and it scored a B, which is good enough:
* Certificate: 100
* Protocol Support: 70 - SSL 3 & TLS 1.0
* Key Exchange: 90
* Cipher Strength: 90
 
I've tested their site just now (21:00) and it scored a B, which is good enough:
* Certificate: 100
* Protocol Support: 70 - SSL 3 & TLS 1.0
* Key Exchange: 90
* Cipher Strength: 90
Quite sad for a bank, I believe in the banking sector they should be proactive rather than reactive when it comes to security matters
 
I believe in the banking sector they should be proactive rather than reactive when it comes to security matters

I believe in the internet banking sector, the populace should be inactive. Don't throw a Net between you and those you depend on for your financial survival. Who in their right mind performs financial transactions on a battle-field?
 
I am just going to necro this, since ABSA still runs on SHA1 - http://www.naschenweng.info/2015/06/01/chrome-update-shames-sites-outdated-security/

In any case, although there has not been a publicly known attack against a SHA1 installation, it's rather poor to run with an outdated implementation. Mistakes/oversights happen, but if you have known about it since April, I would think that a company the size of Absa would make a change. Who knows, maybe the issue sits on their network appliances (many companies use F5s) and the change might be more complex.
 
Top
Sign up to the MyBroadband newsletter