Comparing the HTTPS Security Headers of Swiss banks

March 27, 2018 · by · in Security · 8 Comments

This post compares the security HTTP Headers used by different banks in Switzerland. securityheaders.io is used to test each of the websites. The website of each bank as well as the e-banking login was tested. securityheaders.io views the headers like any browser.

The tested security headers help protect against some of the possible attacks, especially during the protected session. I would have expected all the banks to reach at least a grade of A, but was surprised to find, even on the login pages, many websites are missing some of the basic ways of protecting the application.

Credit Suisse provide the best protection for the e-banking login, and Raiffeisen have the best usage of the security headers on the website. Strange that the Raiffeisen webpage is better protected than the Raiffeisen e-banking login.

Scott Helme explains each of the different headers here, and why you should use them:

TEST RESULTS

Best A+, Worst F

e-banking

1. Grade A Credit Suisse
1. Grade A Basler Kantonalbank
3. Grade B Post Finance
3. Grade B Julius Bär
3. Grade B WIR Bank
3. Grade B DC Bank
3. Grade B Berner Kantonalbank
3. Grade B St. Galler Kantonalbank
3. Grade B Thurgauer Kantonalbank
3. Grade B J. Safra Sarasin
11. Grade C Raiffeisen
12. Grade D Zürcher Kantonalbank
13. Grade D UBS
14. Grade D Valiant

web

1. Grade A Raiffeisen
2. Grade A Credit Suisse
2. Grade A WIR Bank
2. Grade A J. Safra Sarasin
5. Grade A St. Galler Kantonalbank
6. Grade B Post Finance
6. Grade B Valiant
8. Grade C Julius Bär
9. Grade C Migros Bank
10. Grade D UBS
11. Grade D Zürcher Kantonalbank
12. Grade D Berner Kantonalbank
13. Grade F DC Bank
14. Grade F Thurgauer Kantonalbank
15. Grade F Basler Kantonalbank

TEST RESULTS DETAILS

UBS

https://www.ubs.com

This is one of the worst protected of all the bank e-banking logins tested. It is missing most of the security headers. The website is also missing most of the security headers.

https://ebanking-ch.ubs.com

The headers returned from the e-banking login is even worst than the D rating, as it is also missing the X-Frame-options protection.

cache-control →no-store, no-cache, must-revalidate, private
connection →Keep-Alive
content-encoding →gzip
content-type →text/html;charset=UTF-8
date →Tue, 27 Mar 2018 11:46:15 GMT
expires →Thu, 1 Jan 1970 00:00:00 GMT
keep-alive →timeout=5, max=10
p3p →CP="OTI DSP CURa OUR LEG COM NAV INT"
server →Apache
strict-transport-security →max-age=31536000
transfer-encoding →chunked

No CSP is present here…

Credit Suisse

The Credit Suisse website and login are protected with most of the headers and have a good CSP. The no-referrer header is missing from the e-banking login and could be added.

https://www.credit-suisse.com/ch/en.html

CSP

default-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.credit-suisse.com 
*.credit-suisse.cspta.ch *.doubleclick.net *.decibelinsight.net 
*.mookie1.com *.demdex.net *.adnxs.com *.facebook.net *.google.com 
*.google-analytics.com *.googletagmanager.com *.google.ch *.googleapis.com 
*.youtube.com *.ytimg.com *.gstatic.com *.googlevideo.com *.twitter.com 
*.twimg.com *.qq.com *.omtrdc.net *.everesttech.net *.facebook.com 
*.adobedtm.com *.ads-twitter.com t.co *.licdn.com *.linkedin.com 
*.credit-suisse.wesit.rowini.net *.zemanta.com *.inbenta.com 
*.adobetag.com sc-static.net

The CORS header is present, but it allows all origins, which is a bit lax, but CORS is not really a securtiy feature. I think is still should be more strict.

https://direct.credit-suisse.com/dn/c/cls/auth?language=en

CSP

default-src dnmb: 'self' *.credit-suisse.com *.directnet.com *.nab.ch; 
script-src dnmb: 'self' 'unsafe-inline' 'unsafe-eval' *.credit-suisse.com 
*.directnet.com *.nab.ch ; style-src 'self' 'unsafe-inline' *.credit-suisse.com *.directnet.com *.nab.ch; img-src 'self' http://img.youtube.com data: 
*.credit-suisse.com *.directnet.com *.nab.ch; connect-src 'self' wss: ; 
font-src 'self' data:

Raiffeisen

The Raiffeisen website is the best protected of all the tested banks. The e-banking could be improved.

https://www.raiffeisen.ch/rch/de.html

CSP

This is pretty good, but it allows unsafe-eval, probably due to the javascript lib used to implement the UI. This could be improved.

Security-Policy	default-src 'self' ; script-src 'self' 'unsafe-inline' 
'unsafe-eval' assets.adobedtm.com maps.googleapis.com login.raiffeisen.ch ;
 style-src 'self' 'unsafe-inline' fonts.googleapis.com ; img-src 'self' 
statistics.raiffeisen.ch dmp.adform.net maps.googleapis.com maps.gstatic.com 
csi.gstatic.com khms0.googleapis.com khms1.googleapis.com www.homegate.ch 
dpm.demdex.net raiffeisen.demdex.net ; font-src 'self' fonts.googleapis.com 
fonts.gstatic.com ; connect-src 'self' api.raiffeisen.ch statistics.raiffeisen.ch 
www.homegate.ch prod1.solid.rolotec.ch dpm.demdex.net login.raiffeisen.ch ;
 media-src 'self' ruz.ch ; child-src * ; frame-src * ;

https://ebanking.raiffeisen.ch/

Zürcher Kantonalbank

https://www.zkb.ch/

The website is pretty bad. It has a mis-configuration in the X-Frame-Options. The e-banking login is missing most of the headers.

https://onba.zkb.ch/page/logon/logon.page

Post Finance

Post Finance is missing the CSP header and the no-referrer header in both the website and the login. This could be improved.

https://www.postfinance.ch/de/privat.html

https://www.postfinance.ch/ap/ba/fp/html/e-finance/home?login

Julius Bär

Julius Bär is missing the CSP header and the no-referrer header for the e-banking login, and the X-Frame-Options is also missing from the website.

https://www.juliusbaer.com/global/en/home/

https://ebanking.juliusbaer.com/bjbLogin/login?lang=en

Migros Bank

The website is missing a lot of headers as well.

https://www.migrosbank.ch/de/privatpersonen.html

Migro Bank provided no login link from the browser.

WIR Bank

The WIR bank have one of the best websites, and is missing the the no-referrer header. It’s e-banking solution is missing both a CSP Header as well as a referrer policy. Here the website is more secure than the e-banking, strange.

https://www.wir.ch/

CSP

frame-ancestors 'self' https://www.jobs.ch;

https://wwwsec.wir.ch/authen/login?lang=de

DC Bank

The DC Bank is missing all the security headers on the website. This could really be improved! The e-banking is better, but missing the CSP and the referrer policies.

Startseite

https://banking.dcbank.ch/login/login.jsf?bank=74&lang=de&path=layout/dcb

Basler Kantonalbank

This is an interesting test. Basler Kantonalbank has a no security headers in the website, and even an incorrect X-Frame-Options. The e-banking is good, but missing the no-referrer policy. So it has the best and the worst of the banks tested.

https://www.bkb.ch/en

https://login.bkb.ch/auth/login

CSP

default-src https://*.bkb.ch https://*.mybkb.ch; 
img-src data: https://*.bkb.ch https://*.mybkb.ch; 
script-src 'unsafe-inline' 'unsafe-eval' 
https://*.bkb.ch https://*.mybkb.ch; style-src 
https://*.bkb.ch https://*.mybkb.ch 'unsafe-inline';

Berner Kantonalbank

https://www.bekb.ch/

The Berner Kantonalbank has implemented 2 security headers on the website , but is missing the HSTS header. The e-banking is missing 2 of the security headers, no-referrer policy and the CSP.

CSP

frame-ancestors 'self'

https://banking.bekb.ch/login/login.jsf?bank=5&lang=de&path=layout/bekb

Valiant

Valiant has one of the better websites, but the worst e-banking concerning the security headers. Only has the X-Frame-Options supported.

https://www.valiant.ch/privatkunden

https://wwwsec.valiant.ch/authen/login

St. Galler Kantonalbank

The website is an A-Grade, but missing 2 headers, the X-Frame-Options and the no-referrer header. The e-banking is less protected compared to the website, has a grade B. It is missing the CSP and the referrer policy.

https://www.sgkb.ch/

CSP

default-src 'self' 'unsafe-inline' 'unsafe-eval' recruitingapp-1154.umantis.com 
*.googleapis.com *.gstatic.com prod1.solid.rolotec.ch beta.idisign.ch 
test.idisign.ch dis.swisscom.ch www.newhome.ch www.wuestpartner.com; 
img-src * data: android-webview-video-poster:; font-src * data:

https://www.onba.ch/login/login

Thurgauer Kantonalbank

The Thurgauer website is missing all the security headers, not even the HSTS supported, and the e-banking is missing the CSP and the no-referrer headers.

https://www.tkb.ch/

https://banking.tkb.ch/login/login

J. Safra Sarasin

J. Safra Sarasin website uses most security headers, it is only missing the no-referrer header. The e-banking webite is missing the CSP and the referrer headers.

https://www.jsafrasarasin.ch

CSP

frame-ancestors 'self'

https://ebanking-ch.jsafrasarasin.com/ebankingLogin/login

It would be nice if the this part of the security could be improved for all of these websites.

Tags: , , ,

8 comments

  1. bjoernbuschjoern · · Reply

    Did you notify the banks with your findings?

    1. damienbod · · Reply

      I included them in a tweet about this

      1. bjoernbusch · ·

        Awesome, I’d love to see ZKB improve.

  2. Dew Drop - March 28, 2018 (#2693) - Morning Dew · · Reply

    […] Comparing the HTTPS Security Headers of Swiss banks (Damien Bowden) […]

  3. Roger Signer, SGKB · · Reply

    Thanks for the adding of our company and the publishing of your findings. You seem to have mixed up TKB and SGKB. The correct e-banking-URL for SGKB would be https://www.onba.ch/login/login (not banking.tkb.ch).
    Best, Roger Signer, SGKB

    1. damienbod · · Reply

      Thanks for the feedback. I will fix it now.

      1. damienbod · ·

        Hi Roger

        Updated. Thanks again for the feedback.

        Greetings Damien

  4. Les liens de la semaine – Édition #259 | French Coding · · Reply

    […] La comparaison de l’utilisation des entêtes de sécurité HTTP des banques suisses. […]

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.