Over half of UK banks have insecure SSL implementations associated with login functions

Xiphos Research co-founder says some of the instances are 'shockingly bad' but that banks aren't interested in mitigating risks

More than half of the UK's retail banks have insecure instances of SSL, which are associated with supposedly "secure" login functions, making it easier for cyber criminals to get their hands on financial data.

Global security firm Xiphos Research looked into UK high street banks and building societies and their implementations of SSL certificates, particularly in relation to their security authentication mechanisms.

Mike Kemp, the co-founder of Xiphos Research, said the research company had expected that the majority of UK banks and building societies would be secure, but that this was not the case.

The company's research, which took place in November 2015, found that of the 22 UK-owned retail banks, 50 per cent were found to have insecure SSL instances; of the 25 foreign-owned retail banks operating in the UK that Xiphos examined, 79 per cent were found to have insecure SSL instances; and of the 37 UK building societies it examined, 51 per cent were found to have insecure instances.

Overall, there were 84 SSL instances included as part of the research, and 12 of them were rated "F" by SSLLabs (a service provided by security firm Qualys) - the worst possible score.

"That's actually shockingly bad, when you consider that what we were concerned with was not the generic-customer facing internet sites associated with financial institutions but the URL instances associated with their login functions," said Kemp.

Kemp explained that Xiphos had tried to get in touch with affected banks and financial institutions but found that it was nearly impossible to talk to the right people.

"As things stand, more than 50 per cent of banks and building societies in the UK have weak SSL implementations associated with their secure login functions - and the affected parties don't seem to care," he said.

Xiphos then reached out to the Financial Conduct Authority (FCA) in order to get the regulator to share the results of the research with their members, and affected parties. However, the FCA said that it was unable to provide details of individuals or generic email addresses to report security concerns to because of "security reasons".

Xiphos then contacted the UK National Crime Agency. Kemp said he hoped that all relevant parties had now been informed.

"As a result, we will not be publishing who is impacted (yet) ... Until we have confirmation from third parties that they are mitigating the risks presented in this [research], we can't in good faith publish anything other than anonymised statistics."