Wednesday 8 July 2015

Xploring Internet Banking in Ghana: Spotlight on Barclays Bank Ghana Ltd.

Internet banking (IB) - the act of conducting financial transactions over the Internet using PCs or mobile devices by customers of financial institutions has become prevalent in all parts of the world. Developed and developing nations have all taken to IB, and the Republic of Ghana, a country of which I am a "proud?"citizen has not been left out.

Ghana currently boasts of over twenty registered financial institutions (FIs) including Barclays Bank Ghana Ltd, Ecobank, Cal Bank, GT Bank, Access Bank, Fidelity Bank, Ghana Commercial Bank and so on, majority of which provide varied degrees of IB services.

Today, I seek to put the spotlight on the IB service provided by Barclays Bank Ghana  (BBG) Ltd, one of the banks in Ghana I am a customer of and whose IB service I use pretty much on a daily basis. I must admit I am not a "Prestige" account holder, which in Barclays' own words "comes with preferential treatment for services and a little more besides", so I find the IB service a convenient way to get by the hurly-burly of joining long queues in the banking halls to conduct financial transactions, and especially when I am abroad, it is the surest way to get money across to family and friends who need some cash.

Let me put it on record that I have an extensive IB experience spanning well over 10 years with subscriptions in Europe, North America, Asia, and Africa so I quite understand the nitty-gritties of using an IB service.

In this xploration, I will look at issues relating to Access (both mobile and PC with particular emphasis on PC), Availability* (24/7/365), and Security (SSL config issues). In the future I could xplore issues relating to Performance (load time of the online banking web portal and related issues) and Aesthetics (look and feel) :). Ready for this? Lets go!!

Access

The landing page for Barclays Ghana's Internet banking service is at http://gh.barclays.com/. Upon entering this url in your browser, this is the page you see (as shown below).


Noticed the red rectangle at the top-right corner? That's where you go to start your BBG IB stuff (NB: I put the red rectangle there just to highlight the "Login" button, it's not there by default). Simply click on the "Login" button and a login page opens in a new window for you to enter your IB login credentials. As simple as that!

BBG online banking transactions can be carried out on PCs using any of the major browsers on the market without any restrictions unlike countries like South Korea where online banking are tied in to specific browser technologies. BBG provides a downloadable Mobile App for both Android and iOS as well, two of the major mobile OSs, so its all good and well. Not looking at issues relating to security mechanisms used in IB user identification, authentication and authorization, but rather, ease of use of the available mediums of access (PC and Mobile) provided by BBG, I would give BBG an "A" grade on Access. It is that easy and flexible.

Availability*

I put an asterisk after Availability to denote that although most online banking service providers strive to provide a 24 hour, 7 days a week, 365 days a year service, in order to ensure customer satisfaction and guarantee the security of customers' personal data, online banking sites may be unavailable at certain times of the day (usually at non-peak banking hours [but not on a daily basis] or as the financial institution may deem appropriate) for planned or scheduled maintenance. Where there is a planned maintenance, the FI is sure to inform its customers either through information on its website , via email, text messaging (sms) or via any appropriate medium they choose.

That unfortunately is not the case for BBG. For BBG, it appears there's a varied number of hours long daily maintenance or downtown period (usually between 00:00GMT - 06:00GMT) for its Internet banking service, and this happens often without prior notice to customers. Perhaps, it is the case that all or majority of BBG's online banking users are physically residing in Ghana at all material times and are expected to be sleeping between the downtime period above and so are not expected to undertake online transactions within the downtime period. If that is the assumption, then it is completely erroneous and this must be fixed ASAP. There are BBG online banking customers (including myself) across all the continents of the world in different time zones who access BBG's online banking services at different times of the day.

In this present day of massive Internet and smart device proliferation all over the world, customers cannot and will not accept anything less than an ubiquitous, seamless, uninterrupted service when ever, where ever and how ever!

I include the following screenshots taken on different days and times to buttress my "downtime" point above. Note the red rectangles at the bottom-right corners in the shots for the downtime dates and times.

Downtime Day 1














Downtime Day 2


Downtime Day 3



For the Availability attribute, I give Barclays Ghana a grade C. We need an always-on service, please!

Security

BBG in comparison with several local and international FI's offering online banking services does pretty well in terms of security of its Internet banking servers [according to a study by me]. An analysis of BBG's SSL server configuration settings using the world’s number one open-source SSL server configuration test tool, “SSL Labs”, developed, managed and maintained by Qualys Inc accords BBG's SSL servers a "C" grade. The "C" grade while not too alarming reveals significant details about BBG's Internet banking  service requiring urgent improvements.

BBG SSL Server Config. Test - Overall rating



Of particular importance is the need for BBG to discontinue support for the obsolete SSL 3.0 (RFC 6101) protocol in order to protect its IB customers from cyber attacks such as Poodle and Beast. SSL in the past was the defacto protocol used to secure the "connection" between an IB user's browser and the bank's IB servers. Typical arguments for continuous use of SSL 3.0 is that it supports legacy systems, but inherent deficiencies in SSL led to the development of TLS which provides a more secure mechanism for browser/server connection establishment. BBG supports both TLS 1.0 (RFC 2246 ) and TLS 1.2 (RFC 5246) but it also supports the obsolete, deprecated, insecure SSL version 3.0 which can be used to launch attacks on BBG's IB systems.

Another problem I found with BBG's SSL server is that it uses the weak RC4 symmetric encryption algorithm as its preferred algorithm to encrypt the Internet traffic between a user's browser and the bank's IB server though it supports relatively stronger derivatives of the cipher block chaining (CBC) algorithm such as AES_256_CBC etc. If possible, BBG should discontinue the use of RC4 to minimize the success rates of cyber attacks on its IB servers.

BBG SSL Server Config. Test - Cipher Suites






Lastly, BBG uses RSA to exchange the symmetric encryption algorithm between a browser and the bank's server for the purposes of ensuring confidentiality of the data being exchanged between the online banking user and the bank's server. In all fairness, RSA has served the security industry very well over the years but there comes a time where there is the need for a change for stronger, more secure algorithms. BBG should look at the possibility of replacing RSA with more secure and robust algorithms such as those that support forward secrecy (e.g. ECDHE_RSA) and so on.

A packet capture of my online banking traffic with BBG reveals that BBG online banking users have to connect to only one IB server in order to conduct their transactions. This provides significant benefits to IB users in areas with slow or low Internet bandwidth so kudos to BBG in that respect.

BBG session establishment packet capture using Wireshark




Other Banks in GH providing IB services, YOU ARE NEXT!!! I will XPLORE your services like I just did Barclays Bank Ghana! Whether you like it or yes:)!

I wrap up by saying that I hope I have not breached or used BBG's logo, name or data unlawfully because their terms and conditions doesn't say anything about unlawful use. In fact it says nothing at all. Hehe. See below.

BBG Terms and Conditions


No comments:

Post a Comment