Neil Turner's Blog

Just another WordPress site

UK Banks and Encryption

May 6, 2008 by Neil T

Here’s a short survey I have done on the levels of encryption employed by UK banks for their online banking systems, and whether they use EV (extended validation) security certificates.
Ideally, sites such as those that deal with money should be using the strongest encryption available (256-bit AES) and use an EV certificate (the green bar) to allow the user to verify that the site isn’t a hoax.

UK Online banks
Bank name Bit strength EV?
NatWest 128-bit RC4 Yes
HSBC 168-bit 3DES No
Halifax 128-bit RC4 No
Lloyds TSB 256-bit AES No
Barclays 256-bit AES No
RBS 128-bit RC4 Yes
Alliance & Leicester 128-bit RC4 No
Abbey 128-bit RC4 No
Nationwide 128-bit RC4 No
Co-operative Bank 128-bit RC4 No

All tests were carried out on Firefox 3 Beta 5 running on Windows, and data is from the login screens only, not actual online banking sessions.
The test results are slightly concerning. Though RC4 is largely safe, there are a growing number of attacks used against it, especially when used for securing WEP wireless networks. AES, on the other hand, has fewer known flaws, but it should be in wider use.
The lack of sites with EV certificates is also surprising, particularly as phishing is a growing problem and all of the sites listed here have been targeted in emails that I have seen. Only two sites have them and they are owned by the same parent company and use the same domain.

Related Posts:

This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-ShareAlike 2.0 UK: England & Wales License.

2 Comments

Leave a reply →

  1. Phil Wilson
    May 21, 2008 at 23:29

    Hello Neil, your autodetect atom feed (on http://www.neilturner.me.uk/atom.xml ) appears to be busted.
    Also, no idea what to subsribe to from http://www.neilturner.me.uk/feeds/atom/
    help please?

  2. Jo
    December 21, 2009 at 14:35

    I have just moved house, am on virgin media (same account, just moved addresses) and I cannot access Natwest or RBS websites, either .com or .co.uk. Google Chrome says “oops, this link appears to be broken”. I have also checked and I can’t access through Internet Explorer. Is this something to do with my security settings? No-one else seems to have this issue.
    Thanks