A comparative study on web security technologies used in Irish and Finnish banks

Abstract

In this study, we collected data from nine domestic Irish bank web sites and nine domestic Finnish bank web sites. Both countries have many similarities in political, demographical, financial and economical areas. Each of the selected banks represent a typical domestic bank, which is under the control of the respective national central bank. The results of the study could be used as a guide for good and bad practices because of highly qualified personnel employment in the credit institutions, decisions are based usually on the best-known practices to minimize risks and at the same time to attract customers. Two Irish banks and one Finnish bank, only, use the full combination of HTTP header fields available that are related to web security. The most popular SSL certificate provider in Ireland is DigiCert with share of 33% of the bank web sites. Most popular in Finland is Symantec with 55% share. The penetration of the newest protocol HTTP/2 is not significant - only one web site of a Finnish bank supports it.

Publication
P. Petrov, G. Dimitrov and S. Ivanov. A comparative study on web security technologies used in Irish and Finnish banks. International Multidisciplinary Scientific Geoconference SGEM 2018, Vol.18, Iss.2.1, pp.3-10, DOI: 10.5593/sgem2018/2.1/S07.001

Keywords: banks; credit institutions; Ireland; Finland; web site; SSL certificate


INTRODUCTION

In this comparative study we choose banks which are regulated by central banks and from two European countries - Ireland and Finland. Both countries have a lot of similarities. From political point of view, they are similar. They are members of EU, but they are not members of NATO. From financial point of view, they use Euro as currency and their governments have high long-term credit ratings from credit rating agencies such as Standard & Poor’s, Moody’s, Fitch Ratings and so on. In Table 1 are summarized some large-scale similarities which have meaning in the context of the current study. It should be noted that Gross National Income (GNI) represents the total domestic and foreign output of an economy. The GNI per capita, developed by the World Bank, is widely used as an indicator for the overall level of economic development. ICT Development Index (IDI), developed by International Telecommunication Union, is an indicator for monitoring overall progress towards a global information society.

Table 1. Some large-scale similarities between Ireland and Finland.

Feature Ireland Finland
Political orientation Members of EU, but not of NATO Members of EU, but not of NATO
Monetary policy; Currency Members of eurozone; Euro Members of eurozone; Euro
Credit ratings [1, 2] Short-term Long-term
S&P Global Ratings A-1 A+
Moody's Investors Service P-1 A2
Fitch Ratings F1+ A+
Population [3, 4] 4.762 million 5.503 million
GNI per capita (Atlas Method) [5] 52 560$ 44 730$
International internet bandwidth per Internet user [5] 183942.62 Bit/s 216391.39 Bit/s
Households with computer [5] 84.09% 84.54%
Households with Internet access [5] 87.00% 84.57%
Individuals using the Internet [5] 82.17% 87.70%
IDI 2017 Value [5] 8.02 7.88

Before comparison, we raise the hypothesis that in such very well-developed countries, with high level of living standard, high penetration of information and communication technologies in the all areas of life, it should be expected that local banks’ web sites should be very well protected with all available tools of modern web technologies. In these institutions there is no problem with funding, and there are opportunities to use any (including expensive) software. We believe that the web server is more than a key component of the banks IT infrastructure. It has become an integral part of every aspect of banks’ online business, so security and performance can’t be sacrificed for any reason.


METHODOLOGY AND COMPUTATIONAL DETAILS

In our study home pages of 10 Irish banks and 9 Finnish banks were inspected during the months May and October 2017. The main method used in the survey includes analyses of the response given by the web servers. Google Chrome ver.58 and 59, working under typical desktop PC - Windows 10 Pro edition x64, was used as a web client with “Developer tools” module activated. It should be noted that this module has not been intended specifically for such kind of studies, but it is a very useful tool in such cases. The process of inspection was done manually by expert estimation. Other approaches to do the same research could include using command line tools such as “curl” or “wget”. In our opinion, using real web browser is more straightforward. During the study, we specially looked for special fields in the HTTP response which is related to the web security.

The list of banks authorized to operate in Ireland was taken from the “Credit Institutions Register” [6] of the Central Bank of Ireland website. Credit Institutions Register lists 466 institutions, but we selected only domestic ones, as well as the European Credit Institutions authorised in another Member State of the European Economic Area (EEA). Those that operate in the State either on a branch or on a cross-border basis were skipped. We left in the reduced list only banks licensed pursuant to Section 9 of the Central Bank Act, 1971 and which are authorized as Credit Institutions to carry on banking business in the State under Irish Legislation. In the next step around the half of the institutions have been excluded from the study because of the lack of a separate and actively supported local Irish website. For example, one part of the banks provide their international web sites for the purposes to provide online contact with the potential Irish customers - e.g. Bank of Montreal Ireland plc, Citibank Europe plc, DZ Bank Ireland plc, Elavon Financial Services Designated Activity Company, JP Morgan Bank (Ireland) plc, Merrill Lynch International Bank Designated Activity Company, Scotiabank (Ireland) Designated Activity Company, Wells Fargo Bank International Unlimited Company. The other banks excluded from the study are credit institutions, which actually are not providing banking services as their main business - e.g. Dell Bank International Designated Activity Company and Hewlett-Packard International Bank plc. These companies are based in Ireland but provide financing services only for customers of their IT solutions - i.e. leasing or loan to finance the acquisition of their products. In addition, UniCredit Bank Ireland plc. was excluded because it does not operate accounts for individuals and their web site deviate from the others web sites.

Table 2. Reduced list of credit institutions authorised under Irish Legislation to carry on banking business in the State according to Credit Institutions Register, Section 1 (a) [6].

Bank official name as per the register URL of the home page
1 Allied Irish Banks plc https://aib.ie
2 Barclays Bank Ireland plc https://www.barclays.ie
3 DePfa Bank plc https://www.depfa.com
4 EBS Designated Activity Company https://www.ebs.ie
5 Intesa Sanpaolo Bank Ireland plc http://www.intesasanpaolobankireland.ie
6 KBC Bank Ireland plc https://www.kbc.ie
7 Permanent tsb plc. https://www.permanenttsb.ie
8 The Governor and Company of the Bank of Ireland https://www.bankofireland.com
9 Ulster Bank Ireland Designated Activity Company http://digital.ulsterbank.ie

The list of commercial banks authorized to operate in Finland was taken from the “Supervised entities” [7] of the Finland Financial Supervisory Authority (FIN-FSA) website. The list contains 948 supervised entitles undertaking operations in the domestic financial market, but we select only domestic ones commercial banks (see Table 3). Table 3 does not include foreign credit institutions’ branches in Finland from EEA countries, savings banks, limited-liability savings banks, mortgage banks, member cooperative banks (http://www.osuuspankki.fi/), local cooperative banks (http://www.poppankki.fi/) and other financial institutions.

Table 3. Commercial banks supervised by the Finland Financial Supervisory Authority (FIN-FSA) [7].

Bank official name as per the register URL of the home page
1 Aktia Bank p.l.c. http://www.aktia.fi
2 Bank of Åland Plc http://www.alandsbanken.fi
3 Bonum Bank Plc. http://www.bonumpankki.fi
4 Central Bank of Savings Banks Finland Plc http://www.spkeskuspankki.fi
5 Danske Bank Plc http://www.danskebank.fi
6 Evli Bank Plc http://www.evli.com
7 OP Corporate Bank plc http://www.pohjola.fi
8 S-Bank Ltd https://www.s-pankki.fi
9 Suomen Asuntohypopankki Oy http://www.hypo.fi

Table 3 lists only commercial banks under supervision of FIN-FSA. It’s should be noted that meanwhile “Danske Bank Plc” became a branch of its Danish parent company - “Danske Bank A/S” at the end of the year 2017. Therefore, it is no longer in the list, but during our research, it was still under supervision of FIN-FSA and was considered by us as domestic commercial bank.

The summarized results of the studied home pages are presented in several tables (Table 4 - 9) based on the following key indicators: Maximum supported HTTP version, Server type and Keep-Alive parameter; the content of various security related fields in the HTTP response, the issuer and validity length of the SSL certificate.


EMPIRICAL RESULTS AND DISCUSSION

The numbers in the first column of the next tables correspond to the numbers in the first columns on Table 2 and 3.

The data in Table 4 shows that none of the surveyed Irish banks’ web sites use the latest HTTP/2. All of them use HTTP 1.1 and eventually older versions as well (HTTP 1.0 and HTTP 0.9). The web server settings for the Keep-Alive parameter vary from 5 to 15 seconds timeout for the opened network connection with maximum of 100 served requests. Some of the web servers are not providing such kind of information. When Keep-Alive header field is used the network connection stay open for a while (until the timeout come). In this time many resources could be send using the already opened connection.

Table 4. Maximum supported HTTP version, Server type and Keep-Alive parameters in observed Irish banks [8].

Maximum supported HTTP version Server Keep-Alive Timeout Keep-Alive Maximum served files
Timeout Maximum served files
1 1.1 - 10 100
2 1.1 - 5 100
3 1.1 Apache; PHP 5 100
4 1.1 - 10 100
5 1.1 Apache; X-Powered-By: PHP/5.3.3-7+squeeze29 15 100
6 1.1 Apache; X-AspNet-Version: 4.0.30319 5 100
7 1.1 Microsoft-IIS/8.5; X-AspNet-Version: 4.0.30319 - -
8 1.1 - - -
9 1.1 - 10 100000

The data in Table 5 shows, that only one of the surveyed Finnish web sites use the latest protocol HTTP/2. The others use HTTP 1.1 and eventually older versions as well (HTTP 1.0 and HTTP 0.9). The web server setting for the Keep-Alive parameter is used by only two web sites and both are set to 5 seconds timeout for the opened network connection with maximum of 100 served requests. The rest are not providing such kind of information at all. Using HTTP/2 have many benefits in comparison with HTTP 1.1 - faster web page loading, less redundant traffic thanks’ to so called header compression technique, support of Server Push - the server send files before the browser request, stream prioritisation on some of the data streams, etc.

Table 5. Maximum supported HTTP version, Server type and Keep-Alive parameter in observed Finnish banks.

Maximum supported HTTP version Server Keep-Alive Timeout Keep-Alive Maximum served files
1 1.1 BigIP - -
2 1.1 - - -
3 1.1 Apache/2.2.3 (CentOS); X-Powered-By: PHP/5.1.6 - -
4 2 BigIP; Microsoft-IIS/8.5 - -
5 1.1 - - -
6 1.1 Apache/2.4.7 (Ubuntu); Apache-Coyote/1.1 5 100
7 1.1 X-Powered-By: Servlet/2.5 JSP/2.1 - -
8 1.1 Microsoft-IIS/8.5 - -
9 1.1 Apache/2.4.10 (Debian) PHP/5.6.30-0+deb8u1 OpenSSL/1.0.1t 5 100

One of the web servers is rather old and many security vulnerabilities were reported and fixed meanwhile. Among the most important vulnerabilities are: “Apache HTTP Request Parsing Whitespace Defects”, “mod_mime Buffer Overread”, “ap_find_token() Buffer Overread”, “mod_ssl Null Pointer Dereference”, “ap_get_basic_auth_pw() Authentication Bypass” and “Uninitialized memory reflection in mod_auth_digest” [9]. Of course, the main duty of the bank’s system administrators is to patch the various systems regularly, but it will be better to upgrade to version 2.4 instead of patching. It should be noted that the information the web server provides about itself could be not real (could be fabricated). The system administrator could put different settings in the configuration files to make false impression about the used software, version, installed modules or plugins and so on. This practice is not common. Therefore, considering “security by obscurity” method but could be used in some cases, so the provided data in Table 5 about the used web server software should not be accepted unreservedly.

The data in Table 6 shows that many Irish banks’ websites use security related fields in the HTTP response. The presence of “Strict-Transport-Security” field on a supported browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS [10]. The “X-Frame-Options” field in the response header provides protection against the so-called “Clickjack attack”. The parameter “SAMEORIGIN” instructs the browser to render the web page in a “frame” or “iframe” tags only if the domain of the two pages is the same [11]. The “X-XSS-Protection” provides protection against the so-called “Cross-Site Scripting Attack” [12]. The parameter “1; mode=block” instructs the browser to block rendering of the web page if such type of attack is detected. The modern web browsers have built cross-site scripting (XSS) filter and all that must be done is to use this field with the recommended parameter in the response header.

Table 6. The content of various security related fields in the HTTP response provided by Irish banks [8].

Strict-Transport-Security X-Frame-Options X-XSS-Protection
1 - SAMEORIGIN -
2 max-age=31536000; includeSubdomains; preload SAMEORIGIN -
3 max-age=63072000; includeSubdomains; SAMEORIGIN 1; mode=block
4 - SAMEORIGIN -
5 - - -
6 - SAMEORIGIN -
7 - - -
8 max-age=31536000; includeSubDomains SAMEORIGIN 1; mode=block
9 - SAMEORIGIN -

The data in Table 7 shows that Finnish banks’ websites are better protected than Irish ones, but still only one bank is using full range of available tools to protect the home page from various kinds of web threats. Two banks are not using such kind of protection at all which cannot be considered as a good practice.

Table 7. The content of various security related fields in the HTTP response provided by Finnish banks.

Strict-Transport-Security X-Frame-Options X-XSS-Protection
1 - - 1; mode=block
2 - SAMEORIGIN 1; mode=block
3 - - -
4 max-age=31536000; includeSubDomains; preload SAMEORIGIN 1;mode=block
5 max-age=157680000 DENY -
6 max-age=157680000; includeSubDomains - -
7 max-age=14400 DENY -
8 max-age=63072000 - 1; mode=block
9 - - -

Most of the Irish banks’ web sites use 1 year-long or 3-month SSL certificate (Table 8). One of them is using expired SSL certificate that leads to error if someone try to connect thru HTTPS.

Table 8. The issuer and validity length of the SSL certificate used by Irish banks.

Issuer Years
1 Symantec Class 3 Extended Validation SHA256 SSL CA 1
2 Entrust Certification Authority - L1M 2
3 Let's Encrypt Authority X3 ¼
4 DigiCert SHA2 Extended Validation Server CA 1
5 expired certificate -
6 DigiCert SHA2 Extended Validation Server CA 2
7 DigiCert SHA2 Extended Validation Server CA 1
8 QuoVadis Global SSL ICA G2 1
9 Symantec Class 3 Secure Server CA - G4 2

The data in Table 9 shows that near 56% of the web sites use 1 or 2 years-long Symantec SSL certificate. One of them is not using HTTPS at all.

Table 9. The issuer and validity length of the SSL certificate used by Finnish banks.

Issuer Years
1 Symantec Class 3 EV SSL CA - G3 1
2 DigiCert SHA2 High Assurance Server CA 2
3 - (no HTTPS support) -
4 Symantec Class 3 Secure Server CA - G4 1
5 GlobalSign Extended Validation CA - SHA256 - G3 2
5 Symantec Class 3 EV SSL CA - G3 2
7 Symantec Class 3 EV SSL CA - G3 1
8 Symantec Class 3 EV SSL CA - G3 2
9 DigiCert SHA2 Extended Validation Server CA 2


CONCLUSION

This research leads to a few conclusions. First, the penetration of the newest protocol HTTP/2 is not significant - only one web site of a Finnish bank supports it. More than half of web sites of Irish banks do not provide information about the name, version and installed modules of the used web server. The number of Finnish web sites that do not provide such kind of information is twice as low. We can conclude that Irish bank’s system administrator rely more on the principle “security by obscurity” than the Finnish ones.

Second, as for the uses of security related fields in the HTTP response, we can conclude that near half of the banks in both countries force the browser to upgrade connection to HTTPS. The protection of Irish banks’ web sites against the so-called “Clickjack attack” is better than Finnish ones - the number of Finnish web sites that use X-Frame-Options field is near twice as low. On the other hand, the Finnish banks’ web sites are better protected against the so-called “Cross-Site Scripting Attack” - the number of Irish web sites which use X-XSS-Protection field is near twice as low. Only two Irish banks and one Finnish bank use the full combination of available fields, which are related to web security. Two banks, from Ireland and from Finland are not using any of before mentioned fields. The rest use combination of different kind.

Third, as for the use of SSL certificates, in Finland there is more diversity - five SSL certificate providers, while in Finland - they are three only. In Ireland the most popular SSL certificate provider is DigiCert with share of 33% web sites. In Finland most popular is Symantec with 55% share. It is interesting that one of the Irish banks use free certificate from Let’s Encrypt Authority. One bank from each country does not use SSL or have some problem with the certificate. In Ireland more preferred is 1-year long certificate, while in Finland - 2-year long certificate.


ACKNOWLEDGMENT

This work was partially supported by the NPI 92017 Project from University of Economics - Varna Science Fund.


REFERENCES

[1] National Treasury Management Agency, Credit Ratings, http://www.ntma.ie/business-areas/funding-and-debt-management/credit-ratings/ (retrieved 20.04.2018)

[2] Republic of Finland Central Government Debt Management, Credit ratings, http://www.treasuryfinland.fi/en-US/Economy_and_credit_ratings/Credit_ratings (retrieved 20.04.2018)

[3] Government of Ireland Central Statistics Office, Census 2016 Summary Results - Part 1, p.8, (retrieved 20.04.2018)

[4] Statistics Finland’s PX-Web databases, http://pxnet2.stat.fi/PXWeb/pxweb/en/StatFin/StatFin__vrm__vamuu/statfin_vamuu_pxt_003.px/ (retrieved 20.04.2018)

[5] International Telecommunication Union, Measuring the Information Society Report 2017 - Volume 1, (retrieved 20.04.2018)

[6] Register of Credit Institutions as at 16 Jun 2017, http://registers.centralbank.ie/DownloadsPage.aspx (retrieved 20.06.2017)

[7] Supervised entities. Service providers supervised by the Financial Supervisory Authority (FIN-FSA), (retrieved 15.10.2017)

[8] Petrov P., Sulov V., Parusheva S., Penchev B., Collins J. Web Technologies Used in the Home Pages of the Irish Banks. 4th International Multidisciplinary Scientific Conference on Social Sciences & Arts SGEM 2017, vol. 5, 2017, pp.1135-1142.

[9] Apache HTTP Server Project. Apache httpd 2.2 vulnerabilities, https://httpd.apache.org/security/vulnerabilities_22.html (retrieved 20.04.2018).

[10] Hodges J., Jackson C., Barth A., HTTP Strict Transport Security (HSTS), 2012, https://tools.ietf.org/rfc/rfc6797.txt (retrieved 20.04.2018)

[11] Ross D., Gondrom T., Stanley T., HTTP Header Field X-Frame-Options, 2013, https://tools.ietf.org/rfc/rfc7034.txt (retrieved 20.04.2018)

[12] Kisa K., Tatli E., Analysis of HTTP Security Headers in Turkey. In: International Journal of Information Security Science, 2016, 5(4), pp.96-105.