Absa Internet banking security concerns

Following the disclosure of the the OpenSSL Heartbleed bug in April 2014, numerous tools appeared online to test whether websites were vulnerable to it.

Qualys SSL Labs’ server test was one such tool, and at the time we used it to check the strength of the security of many South African websites.

Absa’s Internet banking site scored a B back then. This has improved to an A-.

However, a MyBroadband reader dug around on Absa’s site and discovered that when you enter your account number and PIN and click next, your credentials are sent to a different server: vs1.absa.co.za.

For this domain, the results of the SSL Labs test look different.

Not only does SSL Labs report that this Absa domain is still vulnerable to the POODLE attack disclosed in 2014, it also supports insecure negotiation.

However, Absa has said that clients need not be alarmed by the SSL Labs test results.

“We are aware of the issues the reader has raised and we’re confident that they do not pose a risk to customers,” said Absa.

The bank said it gets independent vendors to perform penetration tests against the platform regularly.

“Vulnerabilities identified in such tests and which reach us through other channels, such as reports from the security community, are evaluated for exploitability and impact on the customer, and are addressed with priority where it is found the vulnerabilities pose a risk.”

More security news

SA banks, networks, online shops SSL security rankings

Critical security bug hits South African websites

Paying your TV licence online? Watch out for this security flaw

Anonymous nailed 3,392 sites on Webafrica – this is how they got in

Anonymous hacks and leaks South African government data