Monday, January 11, 2016

Security issue in Mashreq Bank Official Website

DISCLAIMER: IT’S MY PERSONAL VIEW POINT. THIS ARTICLE IS NOT INTEND FOR DECISION MAKING. PLEASE CONSULT YOUR SECURITY ADVISOR OR CONTACT ME IN PERSON FOR DETAILS.

Mashreq Bank official website may look perfect when entered URL http://www.mashreqbank.com or googled for “Mashreq Bank”.


What’s the problem with Mashreq Bank Official Website?

But is the Mashreq Bank website secure? Not really! 

Security is an essential factor for bank websites. Banks and most sensitive information websites are highly recommended to use a secure layer called TLS (SSL was officially deprecated – read more) to transfer information. Such HTTPS communication will prevent eavesdropping, man-in-the-middle attacks that may lead to Phishing attacks to steal customer internet banking username and password information.

HTTPS (Secured Hyper Text Transfer Protocol) provides the maximum protection from the most notorious hacker attacks for banking websites like phishing and sniffing.

What happens when you try https://www.mashreqbank.com?


Invalid Certificate Notice

I am curious, so what happens when you hit Continue to this website (which was not recommended!)?


Note: Typing the full URL of the website (when known) with https is the safest way to access websites.

What is the Problem (Technically)?

The Mashreq Bank official website (www.mashreqbank.com) SSL Certificate is mapped to a wrong certificate that was issued to the Mashreq Bank’s Career portal (careers.mashreqbank.com).
Note: Unfortunately, the career portal is also down.

CERTIFICATE PATH




Besides, the certificate signature has algorithm is a very weak SHA-1 algorithm which needs to be updated to SHA256 as soon as possible. Read more about SHA-1 Sunset.




Is my Mashreq Online Banking unsafe? 

No, not really! The Net Banking is still safe and well secured. The potential risk is only when you are redirected from Official Website to Net Banking site and other potential attacks such as Phishing and zero-day attacks. 

Besides, Mashreq Bank is a reputed financial institution. You may expect for the best support from the bank during such unfortunate situations.

How am I affected?

Mashreq Bank official website has potential security risk. But the Online Banking portal https://netbanking.mashreq.com is safe and configured with good security systems.


  • Though you cannot do much on the server side, you can protect yourself by not accessing your bank website on public wifi in cafes, public transportation, etc., and securing your home/office wifi networks. 


Mashreq Online Banking Portal - Certificates




HTTPS protects the integrity of your website
By Google:
HTTPS helps prevent intruders from tampering with the communications between your websites and your users’ browsers. Intruders include intentionally malicious attackers, and legitimate but intrusive companies, such as ISPs or hotels that inject ads into pages.
Intruders exploit unprotected communications to trick your users into giving up sensitive information or installing malware, or to insert their own advertisements into your resources. For example, some third-parties inject advertisements into websites that potentially break user experiences and create security vulnerabilities.
Intruders exploit every unprotected resource that travels between your websites and your users. Images, cookies, scripts, HTML… they’re all exploitable. Intrusions can occur at any point in the network, including a user’s machine, a Wi-Fi hotspot, or a compromised ISP, just to name a few.
--

Hope Mashreq will take action very soon.
Cheers!
Arun Ramachandran

Please reach me or leave your comments in the comment section. I'll get back to you as soon as possible.













1 comment:

Share your comments