[spectre256]

It's dangerously close to a passive-agressive pitchfork mob, but I propose that many people start tweeting to greek banks regarding their SSL configurations. The National Greek Bank, for example, scores an F on the SSL Labs Test because they are using TLS 1.0 and are vulnerable to POODLE:

https://www.ssllabs.com/ssltest/analyze.html?d=nbg.gr

their twitter account is: https://twitter.com/ibanknbg

EDIT: The most effective outreach will be friendly and respectful, if anyone chooses to do this. Also, all the other major greek banks score poorly:

Piraeus Bank Score: F! https://www.ssllabs.com/ssltest/analyze.html?d=www.piraeusba... twitter:https://twitter.com/skepsouprasina

Alpha Bank: B https://www.ssllabs.com/ssltest/analyze.html?d=www.alpha.gr&... twitter: https://twitter.com/alpha_bank

Eurobank: Score: F! https://www.ssllabs.com/ssltest/analyze.html?d=eurobank.gr twitter:https://twitter.com/Eurobank_Group

[AlyssaRowan]

Let's be crystal-clear: All of these fail PCI compliance, because they have RC4 enabled. These sites have no business processing anything, let alone personal or financial info.

Yes, having RC4 enabled is now an instant PCI compliance fail as it has a die-die-die RFC and as a result NIST changed it, on request, to a CVE grade above a 4.0 - https://tools.ietf.org/html/rfc7465 - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-25... - web browsers have already started turning it off.

[spectre256]

Yeah. Worse, if RC4 being enabled was the only problem, it would be bad, but somewhat reasonable, as RC4 only recently became known to be weak. But POODLE? FREAK? TSL1.0? All the other crap? Absolutely incredible.

[oasisbob]

As an aside, bank websites don't necessarily fall in-scope for PCI.

I worked for a small credit union, and we were beholden to our state auditors, FFIEC guidance, and the like -- but PCI simply wasn't a thing we worried about.

[AlyssaRowan]

Interesting. I know far, far less about the regulatory side than the practical side. I gather it's focused mainly on merchants, but the card providers themselves founded it?

I'm not sure what I can say except not every bank seems to share that view (although as said in other comments, quite a few banks do indeed have paleolithic systems in unexpected places, and that tends to extend to their security practices - I am not able to name any names, but I can wave in the vague general direction of things which involve VAXen, COBOL and DES-and-I-don't-mean-3DES, all of which thankfully predate me). But I'm not exactly familiar with US banking practices (thankfully): did the credit union just not issue any Visa/Mastercard/etc cards? Huh.

[tankenmate]

True, but this is because a large number of credit unions don't issue Visa / Mastercard credit cards directly; typically they do it through their banking partners (who are registered as banks as opposed to credit unions who for almost all cases are not banks), if they do it at all.

[yuhong]

Yea, I hope PCI DSS clarifies this matter soon.

[edwintorok]

For a long time I thought PCI DSS/NVD was the culprit for all RC4 on payment sites, but luckily this was solved, I see they updated the score on 03/12/2015: https://code.google.com/p/chromium/issues/detail?id=375342#c... https://code.google.com/p/chromium/issues/detail?id=375342#c...

I usually complain when some site uses RC4 and I can't access it, but unlike the OP I don't do that via twitter (one reason is that I don't even have an account there).

I've sent 2 emails regarding the use of ONLY RC4 on payment sites in my country, and although such emails aren't always acknowledged they did get fixed after I CC-ed their PCI auditors [1] :)

[1] which you can find publicly on Visa's site at 'PCI DSS validated Member Agent Weblisting' http://www.visaeurope.com/receiving-payments/security/downlo...

[AlyssaRowan]

It was, part of it. RC4 had a CVE score below 4 (which many interpreted as an issue they could argue around, i.e. "we need to support Windows XP!"), but BEAST had a score above 4 (auto-fail). And what was the (horrible!) recommendation people got when asking how to mitigate BEAST but still let Windows XP connect? That's right: RC4.

That excuse has gone, on two counts. RC4's now thoroughly toast, and Windows XP's unsupported - and now finds itself without any secure ciphers at all.

It's zmap time…

[yuhong]

Lets hope that the new RC4 attacks that will hit the news in a few weeks will help also.

[AlyssaRowan]

Not long now. I think that will mostly depend on whether they give the issues a name and a logo! <g> (Seriously though, that does seems to get people off their arses!)

You might want to get ready to change passwords for sites that have used RC4 in the past. Or, despite as much warning as anyone can give, are inexplicably still using it.

[simi_]

https://twitter.com/ansimionescu/status/576425676036780032

I work in security/privacy/premium snake oil trade. Bank security (and software in general) is _usually_ a joke. The main reason for not fucking with a bank is the same why you wouldn't fuck with casinos, or the mob.

[madaxe_again]

I used to write trading software - had test FIX accounts on live cbot, cme, xetra, Liffe, lme, etc.

Decided to see if I could still log in to any of them about a year ago. Still could on half of them. I left that gig a decade ago.

Oh, and a few of them have no trade limits or risk management.

Boggle.

[gumby]

20+ years I had some security discussions with a major exchange in the USA. In the same building were offices of Goldman Sachs and another bank (Morgan or Merril, don't remember). Anyway there was a single thinnet (10base2 ethernet) that connected them to the exchange. Yep, a quick sniff showed that everyone could see everyone else's traffic.

My contacts were genuinely surprised that this was even possible. But also I was told there would be no contract if I mentioned this to upper management in my report.

There was no contract.

[fragmede]

> you wouldn't fuck with casinos, or the mob.

Why wouldn't I, from the other side of the world, from the wifi connection of a coffee shop on the other side of town, bounced through a couple VPNs? It's one thing if I have to walk inside the casino, but the internet isn't like that.

[exelius]

No, that that bank on the other side of the world is likely insured by a company in the US. The global financial system is intricately linked, and the bankers and insurance companies effectively run the global economy. Given that, do you think it's really a huge stretch to think that three letter agencies from the US - the ones with documented capabilities to de-anonymize your VPNs if your OpSec is even a little sloppy - might get involved? Jurisdiction wouldn't be an issue if the bank asked them for help.

There are many ways to ensure security: one is technical, and another is investigative. The amount of resources a bank can bring to bear on you if you steal money from them is immense - IMO it's just best not to mess with that shit. It may have been true at one time that you could outsmart the banks and get away with it, but there are just too many smart people watching anymore.

[MichaelGG]

My other personal analysis, from looking at banks in a third world county, is that you can't easily get away with enough to make it worthwhile. Sure, it'd probably be trivial to get money moved around inside the bank's own system. But getting it out from there seems to involve actual competent actors that aren't third world. Getting it out directly from the bank also seemed unlikely, because they manually check things for such low amounts.

[superuser2]

The problem is cashing out. Any method of transferring the money to somewhere you can spend it (including Bitcoin) is going to require an identity. Not impossible, but certainly not as easy as Tor.

[ChrisClark]

The article states the the National Bank of Greece was the nice bank, NOT the one harassing him. It was the SECOND one that harassed him.

By listing the nice bank's twitter first, you're going to cause a backlash against the one that actually responded nicely.

[spectre256]

You're right, I noticed that in the article. I'll reorder them. They still desperately need to fix their security though.

edit: woops, looks like I cant edit it any more. bummer

[yuhong]

Eurobank: Score: F! https://www.ssllabs.com/ssltest/analyze.html?d=eurobank.gr twitter:https://twitter.com/Eurobank_Group

This one is interesting, as it shows IIS 5.0 (Win2000 SChannel) affected by POODLE TLS.

[yuhong]

That being said, www.eurobank.gr is just a redirect to http. The actual banking uses https://www.ssllabs.com/ssltest/analyze.html?d=https://ebank...