tag:blogger.com,1999:blog-4810693018748647502024-03-05T09:25:47.834-08:00Comp Eng. Ethical Hacker (C|EH). IT Security Trainer. ITIL v3. Open Data Evangelist. @ChelseaFC fanAnonymoushttp://www.blogger.com/profile/10565939778154253436noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-481069301874864750.post-12941103060909580152015-07-08T06:44:00.000-07:002015-07-14T00:22:00.875-07:00Xploring Internet Banking in Ghana: Spotlight on Barclays Bank Ghana Ltd.<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
Internet banking (IB) - the act of conducting financial transactions over the Internet using PCs or mobile devices by customers of financial institutions has become prevalent in all parts of the world. Developed and developing nations have all taken to IB, and the Republic of Ghana, a country of which I am a "proud?"citizen has not been left out.</div>
<div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
Ghana currently boasts of over twenty registered financial institutions (FIs) including Barclays Bank Ghana Ltd, Ecobank, Cal Bank, GT Bank, Access Bank, Fidelity Bank, Ghana Commercial Bank and so on, majority of which provide varied degrees of IB services.</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
Today, I seek to put the spotlight on the IB service provided by Barclays Bank Ghana (BBG) Ltd, one of the banks in Ghana I am a customer of and whose IB service I use pretty much on a daily basis. I must admit I am not a <i><b>"Prestige"</b></i> account holder, which in Barclays' own words<i> "<b>comes with preferential treatment for services and a little more besides</b>"</i>, so I find the IB service a convenient way to get by the hurly-burly of joining long queues in the banking halls to conduct financial transactions, and especially when I am abroad, it is the surest way to get money across to family and friends who need some cash.</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
Let me put it on record that I have an extensive IB experience spanning well over 10 years with subscriptions in Europe, North America, Asia, and Africa so I quite understand the nitty-gritties of using an IB service.</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
In this xploration, I will look at issues relating to <b>Access </b>(both mobile and PC with particular emphasis on PC),<b> Availability*</b> (24/7/365), and <b>Security</b> (SSL config issues). In the future I could xplore issues relating to <b>Performance</b> (load time of the online banking web portal and related issues) and <b>Aesthetics</b> (look and feel) :). Ready for this? Lets go!!</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
<b>Access</b></div>
<div style="text-align: justify;">
<b><br /></b></div>
</div>
<div>
<div style="text-align: justify;">
The landing page for Barclays Ghana's Internet banking service is at <a href="http://gh.barclays.com/">http://gh.barclays.com/</a>. Upon entering this url in your browser, this is the page you see (as shown below).</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3DXENagaJ55Ov7vuiOd3vTgXg9KD21gaf3bEsqMVP2ozpCM8b-KKfGqmMGz8gXi8CAyaeJc2emJBzubNYuvHv0mt-Tk7pyKCHQNwOtAMBsovQRKZ_1o5EUfKCe-fezqmEasv3Vzu7ZKsT/s1600/barclays.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="349" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3DXENagaJ55Ov7vuiOd3vTgXg9KD21gaf3bEsqMVP2ozpCM8b-KKfGqmMGz8gXi8CAyaeJc2emJBzubNYuvHv0mt-Tk7pyKCHQNwOtAMBsovQRKZ_1o5EUfKCe-fezqmEasv3Vzu7ZKsT/s1600/barclays.jpg" width="640" /></a></div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
Noticed the red rectangle at the top-right corner? That's where you go to start your BBG IB stuff (NB: I put the red rectangle there just to highlight the "Login" button, it's not there by default). Simply click on the "Login" button and a login page opens in a new window for you to enter your IB login credentials. As simple as that!</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
BBG online banking transactions can be carried out on PCs using any of the major browsers on the market without any restrictions unlike countries like South Korea where online banking are tied in to specific browser technologies. BBG provides a downloadable Mobile App for both Android and iOS as well, two of the major mobile OSs, so its all good and well. Not looking at issues relating to security mechanisms used in IB user identification, authentication and authorization, but rather, ease of use of the available mediums of access (PC and Mobile) provided by BBG, I would give BBG an "A" grade on Access. It is that easy and flexible.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Availability*</b></div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
I put an asterisk after Availability to denote that although most online banking service providers strive to provide a 24 hour, 7 days a week, 365 days a year service, in order to ensure customer satisfaction and guarantee the security of customers' personal data, online banking sites may be unavailable at certain times of the day (usually at non-peak banking hours [but not on a daily basis] or as the financial institution may deem appropriate) for planned or scheduled maintenance. Where there is a planned maintenance, the FI is sure to inform its customers either through information on its website , via email, text messaging (sms) or via any appropriate medium they choose.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
That unfortunately is not the case for BBG. For BBG, it appears there's a varied number of hours long daily maintenance or downtown period (usually between 00:00GMT - 06:00GMT) for its Internet banking service, and this happens often without prior notice to customers. Perhaps, it is the case that all or majority of BBG's online banking users are physically residing in Ghana at all material times and are expected to be sleeping between the downtime period above and so are not expected to undertake online transactions within the downtime period. If that is the assumption, then it is completely erroneous and this must be fixed ASAP. There are BBG online banking customers (including myself) across all the continents of the world in different time zones who access BBG's online banking services at different times of the day.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In this present day of massive Internet and smart device proliferation all over the world, customers cannot and will not accept anything less than an ubiquitous, seamless, uninterrupted service when ever, where ever and how ever!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I include the following screenshots taken on different days and times to buttress my "downtime" point above. Note the red rectangles at the bottom-right corners in the shots for the downtime dates and times.<br />
<br />
<b>Downtime Day 1</b></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFIObvKSdiGhNtl_xxa6NxTFLguT_ssQNkQ6Q_sCdIcpwJFXQQEMQvU5PHGag6qtk09OJ558sdo2QgCUrk7vgG2Cxx49Qswcz_6DsCHYf097tu_mYnK0_v4qPztLWqlFMNv-CnVGI4dKoj/s1600/day1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFIObvKSdiGhNtl_xxa6NxTFLguT_ssQNkQ6Q_sCdIcpwJFXQQEMQvU5PHGag6qtk09OJ558sdo2QgCUrk7vgG2Cxx49Qswcz_6DsCHYf097tu_mYnK0_v4qPztLWqlFMNv-CnVGI4dKoj/s1600/day1.jpg" width="640" /></a></div>
<div style="text-align: justify;">
<br />
<br /></div>
<div style="text-align: justify;">
<br />
<b><br /></b>
<b><br /></b>
<b><br /></b>
<b><br /></b>
<b><br /></b>
<b><br /></b>
<b><br /></b>
<b><br /></b>
<b><br /></b>
<b><br /></b>
<b>Downtime Day 2</b></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9YUegj1DjYxL7RpFAFuIVKJsvtqGJvEagI68bLvfR4oAAZTd17R60a9QnvsiLcU9EpyyN8OlGHgTCFW30UbZZNu4KMHf2bZMTnLF6uPyJzAe3u6mbiqv4V6MrzgekWGIi-nLJlAfoR9Df/s1600/day2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a></div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiSTP0HMvWQwtyP7MBsdY0zAaw2TU3zKcTPNJYqxCCFOf4TfZroL_xsPUiuqoZe_o0vpzWSZgC9TVyeZ0bUFuJ5ltC8kIfRPGbaRyAPCJziuVUSqfWB3YbJQ77EuZ_gchkejW3XQXo1G57/s1600/down2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiSTP0HMvWQwtyP7MBsdY0zAaw2TU3zKcTPNJYqxCCFOf4TfZroL_xsPUiuqoZe_o0vpzWSZgC9TVyeZ0bUFuJ5ltC8kIfRPGbaRyAPCJziuVUSqfWB3YbJQ77EuZ_gchkejW3XQXo1G57/s640/down2.jpg" width="640" /></a></div>
<b><br /></b></div>
<div style="text-align: justify;">
<b>Downtime Day 3</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoskC2e0FTO0GZbKkQjBF5ApX9hL6kO_euZuhjmwzEJgQCgSaSTJrY-aWuNWLCA_y4IkRRQeruvEvsZ_smsk8goctzZcxkZPIizqzWCQAsyk0YzwpPLESxaLDnBoPuQuRyb0C6NXAxEWwg/s1600/down3.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoskC2e0FTO0GZbKkQjBF5ApX9hL6kO_euZuhjmwzEJgQCgSaSTJrY-aWuNWLCA_y4IkRRQeruvEvsZ_smsk8goctzZcxkZPIizqzWCQAsyk0YzwpPLESxaLDnBoPuQuRyb0C6NXAxEWwg/s640/down3.jpg" width="640" /></a></div>
<b><br /></b></div>
<div style="text-align: justify;">
For the Availability attribute, I give Barclays Ghana a grade C. We need an always-on service, please!</div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
<b>Security</b><br />
<b><br /></b>
BBG in comparison with several local and international FI's offering online banking services does pretty well in terms of security of its Internet banking servers [according to a study by me]. An analysis of BBG's SSL server configuration settings using the world’s number one open-source SSL server configuration test tool, “SSL Labs”, developed, managed and maintained by Qualys Inc accords BBG's SSL servers a "C" grade. The "C" grade while not too alarming reveals significant details about BBG's Internet banking service requiring urgent improvements.<br />
<br />
<b>BBG SSL Server Config. Test - Overall rating</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3fRfES2W4-t7vDu_2Vg1eSkm5C4EoDv6Ap7GPa4KJrjfcbNpOylrWnjCeHLJ87MI8R28QjVV4CocZvkTqohr6agVsvUXflvQwXYcwsf7DG0lbB-3XzTWKUhR_2yGsz1SBYz2hY2Tzw9GW/s1600/ssl3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="536" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3fRfES2W4-t7vDu_2Vg1eSkm5C4EoDv6Ap7GPa4KJrjfcbNpOylrWnjCeHLJ87MI8R28QjVV4CocZvkTqohr6agVsvUXflvQwXYcwsf7DG0lbB-3XzTWKUhR_2yGsz1SBYz2hY2Tzw9GW/s640/ssl3.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Of particular importance is the need for BBG to discontinue support for the obsolete SSL 3.0 (RFC 6101) protocol in order to protect its IB customers from cyber attacks such as Poodle and Beast. SSL in the past was the defacto protocol used to secure the "connection" between an IB user's browser and the bank's IB servers. Typical arguments for continuous use of SSL 3.0 is that it supports legacy systems, but inherent deficiencies in SSL led to the development of TLS which provides a more secure mechanism for browser/server connection establishment. BBG supports both TLS 1.0 (RFC <span style="text-align: start; white-space: pre-wrap;">2246 </span>) and TLS 1.2 (RFC 5246) but it also supports the obsolete, deprecated, insecure SSL version 3.0 which can be used to launch attacks on BBG's IB systems.<br />
<br />
Another problem I found with BBG's SSL server is that it uses the weak RC4 symmetric encryption algorithm as its preferred algorithm to encrypt the Internet traffic between a user's browser and the bank's IB server though it supports relatively stronger derivatives of the cipher block chaining (CBC) algorithm such as AES_256_CBC etc. If possible, BBG should discontinue the use of RC4 to minimize the success rates of cyber attacks on its IB servers.<br />
<br />
<b>BBG SSL Server Config. Test - Cipher Suites</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLhJaTJL6bT4Owz5ogcOhyYkikNUBEpUqReU6Eaq0ByXStR-vdAbvhI6VvFeTbcPHeq1AGMZ-PZdbKBiJp6GBIgsJs1y2A2NbpSFSuHWdq6aUJk0DSb6QKScS2bhA2tF6vRFiJ0n6jqAC/s1600/alg.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="398" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLhJaTJL6bT4Owz5ogcOhyYkikNUBEpUqReU6Eaq0ByXStR-vdAbvhI6VvFeTbcPHeq1AGMZ-PZdbKBiJp6GBIgsJs1y2A2NbpSFSuHWdq6aUJk0DSb6QKScS2bhA2tF6vRFiJ0n6jqAC/s640/alg.jpg" width="640" /></a></div>
<br /></div>
<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
<b><br /></b>
<b><br /></b>
<br />
Lastly, BBG uses RSA to exchange the symmetric encryption algorithm between a browser and the bank's server for the purposes of ensuring confidentiality of the data being exchanged between the online banking user and the bank's server. In all fairness, RSA has served the security industry very well over the years but there comes a time where there is the need for a change for stronger, more secure algorithms. BBG should look at the possibility of replacing RSA with more secure and robust algorithms such as those that support forward secrecy (e.g. ECDHE_RSA) and so on.<br />
<br />
A packet capture of my online banking traffic with BBG reveals that BBG online banking users have to connect to only one IB server in order to conduct their transactions. This provides significant benefits to IB users in areas with slow or low Internet bandwidth so kudos to BBG in that respect.<br />
<br />
<b>BBG session establishment packet capture using Wireshark</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiag63Idlg4OK-Vt-6iP_-eWvFDyhMFNOb0RDGdyoix_LLy9lNJpMZfkneOeW-6PUup9N3HieM9rKuJFP0wcJM7Xj1k7hGb4VJmhIrNLOJgQlDKygNAkXFWN0wvLoBHXPvM5Up3nDOlkgJA/s1600/pcap.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiag63Idlg4OK-Vt-6iP_-eWvFDyhMFNOb0RDGdyoix_LLy9lNJpMZfkneOeW-6PUup9N3HieM9rKuJFP0wcJM7Xj1k7hGb4VJmhIrNLOJgQlDKygNAkXFWN0wvLoBHXPvM5Up3nDOlkgJA/s640/pcap.jpg" width="640" /></a></div>
<br />
<br />
Other Banks in GH providing IB services, YOU ARE NEXT!!! I will XPLORE your services like I just did Barclays Bank Ghana! Whether you like it or yes:)!<br />
<br />
I wrap up by saying that I hope I have not breached or used BBG's logo, name or data unlawfully because their terms and conditions doesn't say anything about unlawful use. In fact it says nothing at all. Hehe. See below.<br />
<br />
<b>BBG Terms and Conditions</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqpCzfssxah4OWHDpoCrjXW0sHb9thpXY8zi6fRIXa3KalFZijZUGM94tRCQJlB0eDfFGyV23Ju6uG1mcgGlwXYiBUWTVYdcbbVuG8jPnOFjr_NUf1xu42KEOdzzVu-llaZj_9lbcSKj8B/s1600/toc.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqpCzfssxah4OWHDpoCrjXW0sHb9thpXY8zi6fRIXa3KalFZijZUGM94tRCQJlB0eDfFGyV23Ju6uG1mcgGlwXYiBUWTVYdcbbVuG8jPnOFjr_NUf1xu42KEOdzzVu-llaZj_9lbcSKj8B/s640/toc.jpg" width="640" /></a></div>
<br /></div>
</div>
</div>
</div>
Anonymoushttp://www.blogger.com/profile/10565939778154253436noreply@blogger.com0