Monday, January 11, 2016

Security issue in Mashreq Bank Official Website

DISCLAIMER: IT’S MY PERSONAL VIEW POINT. THIS ARTICLE IS NOT INTEND FOR DECISION MAKING. PLEASE CONSULT YOUR SECURITY ADVISOR OR CONTACT ME IN PERSON FOR DETAILS.

Mashreq Bank official website may look perfect when entered URL http://www.mashreqbank.com or googled for “Mashreq Bank”.


What’s the problem with Mashreq Bank Official Website?

But is the Mashreq Bank website secure? Not really! 

Security is an essential factor for bank websites. Banks and most sensitive information websites are highly recommended to use a secure layer called TLS (SSL was officially deprecated – read more) to transfer information. Such HTTPS communication will prevent eavesdropping, man-in-the-middle attacks that may lead to Phishing attacks to steal customer internet banking username and password information.

HTTPS (Secured Hyper Text Transfer Protocol) provides the maximum protection from the most notorious hacker attacks for banking websites like phishing and sniffing.

What happens when you try https://www.mashreqbank.com?


Invalid Certificate Notice

I am curious, so what happens when you hit Continue to this website (which was not recommended!)?


Note: Typing the full URL of the website (when known) with https is the safest way to access websites.

What is the Problem (Technically)?

The Mashreq Bank official website (www.mashreqbank.com) SSL Certificate is mapped to a wrong certificate that was issued to the Mashreq Bank’s Career portal (careers.mashreqbank.com).
Note: Unfortunately, the career portal is also down.

CERTIFICATE PATH




Besides, the certificate signature has algorithm is a very weak SHA-1 algorithm which needs to be updated to SHA256 as soon as possible. Read more about SHA-1 Sunset.




Is my Mashreq Online Banking unsafe? 

No, not really! The Net Banking is still safe and well secured. The potential risk is only when you are redirected from Official Website to Net Banking site and other potential attacks such as Phishing and zero-day attacks. 

Besides, Mashreq Bank is a reputed financial institution. You may expect for the best support from the bank during such unfortunate situations.

How am I affected?

Mashreq Bank official website has potential security risk. But the Online Banking portal https://netbanking.mashreq.com is safe and configured with good security systems.


  • Though you cannot do much on the server side, you can protect yourself by not accessing your bank website on public wifi in cafes, public transportation, etc., and securing your home/office wifi networks. 


Mashreq Online Banking Portal - Certificates




HTTPS protects the integrity of your website
By Google:
HTTPS helps prevent intruders from tampering with the communications between your websites and your users’ browsers. Intruders include intentionally malicious attackers, and legitimate but intrusive companies, such as ISPs or hotels that inject ads into pages.
Intruders exploit unprotected communications to trick your users into giving up sensitive information or installing malware, or to insert their own advertisements into your resources. For example, some third-parties inject advertisements into websites that potentially break user experiences and create security vulnerabilities.
Intruders exploit every unprotected resource that travels between your websites and your users. Images, cookies, scripts, HTML… they’re all exploitable. Intrusions can occur at any point in the network, including a user’s machine, a Wi-Fi hotspot, or a compromised ISP, just to name a few.
--

Hope Mashreq will take action very soon.
Cheers!
Arun Ramachandran

Please reach me or leave your comments in the comment section. I'll get back to you as soon as possible.













SHA-1 Sunset by January, 2017

SHA-1 is a weaker cryptographic hash function and more than 12 years old now. (Time to retire!) All major web browsers have officially announced to SHA-1 Sunset from January, 2017.


Why I should migrate from SHA-1 to SHA-2 now?

All server certificates that expire on/after 1st January, 2017, and which contain SHA-1-based signatures in the validated chain, will be shown the insecure site notification icon in Google Chrome and similar warning notice in other major browsers, with text indicating that the site will cease working in future versions of the browser. This may affect the brand and reputation of the organization among the customers. (Effect on Google SERP is unclear at this point of time. But Google has given clear indication that HTTPS will be a ranking signal.)



Read more about SHA-1 and Future





Mashreq Bank eStatement does not download with Download Accelerator


If you're a Mashreq Bank customer, you must already be enjoying a fabulous basket of online banking services. But if you face issue with downloading e-statement from the Mashreq Internet Banking website and you are using Internet Exporer (tested on IE version 10 and above), it is most likely due to Internet Download Accelerators (eg: Download Accelerator Plus / DAP, Internet Download Manager, etc). Turn off / Disable the download acceleration to download e-statement from Mashreq Internet Banking website.


Download e-statement from Mashreq Internet Banking - Screen Shot
Download Bar - Screen Shot

@Mashreq: Please fix this issue for a better internet banking experience.


FAQs

Q: I am offered a JSP file to download. What is it?
A: The JSP file stands for Java Server Pages which is the software program that pulls your statement details from the Mashreq Servers and provides you in a human readable format, for example in a PDF document.

Q: How to disable the Download Accelerator Plus?
A: Check the system tray for the DAP icon (Yellow thunder icon). Just right-click and select Disable DAP.