Monday, January 11, 2016

Security issue in Mashreq Bank Official Website

DISCLAIMER: IT’S MY PERSONAL VIEW POINT. THIS ARTICLE IS NOT INTEND FOR DECISION MAKING. PLEASE CONSULT YOUR SECURITY ADVISOR OR CONTACT ME IN PERSON FOR DETAILS.

Mashreq Bank official website may look perfect when entered URL http://www.mashreqbank.com or googled for “Mashreq Bank”.


What’s the problem with Mashreq Bank Official Website?

But is the Mashreq Bank website secure? Not really! 

Security is an essential factor for bank websites. Banks and most sensitive information websites are highly recommended to use a secure layer called TLS (SSL was officially deprecated – read more) to transfer information. Such HTTPS communication will prevent eavesdropping, man-in-the-middle attacks that may lead to Phishing attacks to steal customer internet banking username and password information.

HTTPS (Secured Hyper Text Transfer Protocol) provides the maximum protection from the most notorious hacker attacks for banking websites like phishing and sniffing.

What happens when you try https://www.mashreqbank.com?


Invalid Certificate Notice

I am curious, so what happens when you hit Continue to this website (which was not recommended!)?


Note: Typing the full URL of the website (when known) with https is the safest way to access websites.

What is the Problem (Technically)?

The Mashreq Bank official website (www.mashreqbank.com) SSL Certificate is mapped to a wrong certificate that was issued to the Mashreq Bank’s Career portal (careers.mashreqbank.com).
Note: Unfortunately, the career portal is also down.

CERTIFICATE PATH




Besides, the certificate signature has algorithm is a very weak SHA-1 algorithm which needs to be updated to SHA256 as soon as possible. Read more about SHA-1 Sunset.




Is my Mashreq Online Banking unsafe? 

No, not really! The Net Banking is still safe and well secured. The potential risk is only when you are redirected from Official Website to Net Banking site and other potential attacks such as Phishing and zero-day attacks. 

Besides, Mashreq Bank is a reputed financial institution. You may expect for the best support from the bank during such unfortunate situations.

How am I affected?

Mashreq Bank official website has potential security risk. But the Online Banking portal https://netbanking.mashreq.com is safe and configured with good security systems.


  • Though you cannot do much on the server side, you can protect yourself by not accessing your bank website on public wifi in cafes, public transportation, etc., and securing your home/office wifi networks. 


Mashreq Online Banking Portal - Certificates




HTTPS protects the integrity of your website
By Google:
HTTPS helps prevent intruders from tampering with the communications between your websites and your users’ browsers. Intruders include intentionally malicious attackers, and legitimate but intrusive companies, such as ISPs or hotels that inject ads into pages.
Intruders exploit unprotected communications to trick your users into giving up sensitive information or installing malware, or to insert their own advertisements into your resources. For example, some third-parties inject advertisements into websites that potentially break user experiences and create security vulnerabilities.
Intruders exploit every unprotected resource that travels between your websites and your users. Images, cookies, scripts, HTML… they’re all exploitable. Intrusions can occur at any point in the network, including a user’s machine, a Wi-Fi hotspot, or a compromised ISP, just to name a few.
--

Hope Mashreq will take action very soon.
Cheers!
Arun Ramachandran

Please reach me or leave your comments in the comment section. I'll get back to you as soon as possible.













SHA-1 Sunset by January, 2017

SHA-1 is a weaker cryptographic hash function and more than 12 years old now. (Time to retire!) All major web browsers have officially announced to SHA-1 Sunset from January, 2017.


Why I should migrate from SHA-1 to SHA-2 now?

All server certificates that expire on/after 1st January, 2017, and which contain SHA-1-based signatures in the validated chain, will be shown the insecure site notification icon in Google Chrome and similar warning notice in other major browsers, with text indicating that the site will cease working in future versions of the browser. This may affect the brand and reputation of the organization among the customers. (Effect on Google SERP is unclear at this point of time. But Google has given clear indication that HTTPS will be a ranking signal.)



Read more about SHA-1 and Future





Mashreq Bank eStatement does not download with Download Accelerator


If you're a Mashreq Bank customer, you must already be enjoying a fabulous basket of online banking services. But if you face issue with downloading e-statement from the Mashreq Internet Banking website and you are using Internet Exporer (tested on IE version 10 and above), it is most likely due to Internet Download Accelerators (eg: Download Accelerator Plus / DAP, Internet Download Manager, etc). Turn off / Disable the download acceleration to download e-statement from Mashreq Internet Banking website.


Download e-statement from Mashreq Internet Banking - Screen Shot
Download Bar - Screen Shot

@Mashreq: Please fix this issue for a better internet banking experience.


FAQs

Q: I am offered a JSP file to download. What is it?
A: The JSP file stands for Java Server Pages which is the software program that pulls your statement details from the Mashreq Servers and provides you in a human readable format, for example in a PDF document.

Q: How to disable the Download Accelerator Plus?
A: Check the system tray for the DAP icon (Yellow thunder icon). Just right-click and select Disable DAP.

Friday, March 20, 2015

Solved: Windows 8.1 Screen Brightness Adjustment Issue

I use to work late nights on my laptop and my kid won't allow me to leave the bedroom. The bright light would be a disturbance for my wife and kid. So, today I decided to resolve the screen brightness issue on my laptop at any cost. 

The automatic brightness adjustment feature was working very good when I got my laptop serviced which includes reload of the Operating System. Recently I noticed that neither the auto brightness work nor I was able to adjust the screen brightness manually.

I discovered that the issue was on a Monitor Driver installed by TeamViewer GmbH. TeamViewer is a remote desktop control software which assumed to be one of the most popular in its category of software. I resolved the issue by rolling back the Monitor driver to default Generic PnP Monitor driver.

Following are the below steps to Roll back the monitor driver:
My OS: Windows 8.1 64bit (Should be the same procedure for other versions of Windows)

  1. Open Windows Device Manager (Open Windows Run Command (Windows Key + R); Type devmgmt.msc and hit ENTER)
  2. Find Monitors in the device list and expand if there are more than one Monitors listed
  3. Right-click on the Standard Monitor item and select Properties
  4. On the Properties panel, navigate to Driver tab and select Roll Back Driver (Alt + R)
  5. When prompted to confirm, hit Yes. That's it!

The screen may flicker for a few times. As soon as the driver is rolled back, the brightness control will be back! Hope night owls and their families will be happy again!

DISCLAIMER: The below procedures are based on my personal experience and comes without any guarantee. You may use it at your own risk.

Sunday, January 04, 2015

Solved: Facebook App throws error: HTTP verb used to access this page is not allowed

Problem:
"HTTP verb used to access this page is not allowed"

Solution:
If you are getting the above error message on your Facebook App page, probably you are trying to access a static html page on your server. Rename the html page to server side extension (aspx / php).

How to force redirect all HTTP requests to HTTPS in IIS through Web.Config setting?

Web.config configuration setting to force redirect all http requests to https with all query string parameters in IIS 7.5 / 8.0 on Windows Servers.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="Redirect to https" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

Notes:

  1. The above solution will work well with all hosts including shared hosting servers
  2. Ensure your https URL is functioning properly