Tesco, Barclays and Halifax still vulnerable to the big bad Poodle.
Poodle may sound like something innocuous and fluffy but POODLE – Padding Oracle On Downgraded Legacy Encryption, to give it its proper name – is a security flaw that allows attackers to intercept supposedly secure SSL communications between a website and an individual user’s computer. This has had wide ranging implications for just about every site out there but particularly for banking websites. The Poodle could allow, for example, a hacker to take up residence in a coffee shop, wait for someone to jump on the Wi-Fi and then grab key data as a banking site is accessed.
However, while most sites – and certainly many of the big banks – immediately sprung into action when Poodle reared its head, it would seem that some are still not entirely alert to the danger that this security flaw really poses. When Poodle first appeared, Ivan Ristic’s SSL Labs site highlighted those banks that were vulnerable and the site has recently revealed that many of those bastions of finance have actually done very little to fix the problem and are still exposed thanks to issues such as weak TLS protocols. Some of the biggest names on this list include Barclays and Halifax, which are reported to still be vulnerable to the original Poodle. Tesco has even received a Fail security score as a result of its poor response to the security issue.
Given the enormous customer bases of these banks it’s pretty shocking that they still have not taken action to deal with the Poodle threat. Some of the consequences of the security flaw are that sessions can be stolen and, if an advanced hacking brain was involved, then – as we mentioned – Poodle could be used to steal account details and transactions, something that would be an absolute nightmare for the customers involved.
It’s now more than six months since the first warnings appeared about the Poodle bug and it’s shocking that these banks aren’t taking the threat seriously. The fixes for the security flaws that allow it to wreak such havoc are not that difficult to implement so there’s no real reason why Halifax, Tesco and Barclays should be so behind the curve on this one – and put their customers so at risk.
As this shows, it’s crucial to stay up to date when it comes to both personal and business security, whether you use IT outsourcing or your own internal infrastructure and security management.