I have had an account with the same bank for a really long time. Perhaps the time has come to switch to a new bank. After all in 2016 my bank still doesn’t offer two factor authentication, EMV cards, and several other modern features that I see from other banks. I’d like a bank that takes information security seriously, it seems like my current one does not. While I’m sure I could find clean compliance based audits for each of these banks, I would prefer to take a different, more open approach. For this exercise let’s just look at email and web site security.
My research methodology (inspired by Mark Stanislav’s MASSACRE talk) is broken down into four steps. Each step will be awarded a letter grade. At the end an average for each bank will be determined.
Here’s what I did:
- Scan the site’s login page with https://securityheaders.io
- Scan the site’s login page with https://ssllabs.com
- Review the site’s DMARC record policy (if set)
- Determine if the site offers two factor authentication with https://twofactorauth.org
Security Headers and SSL Labs both assign a letter grade. Security Headers however will give points for the use of any header regardless of how it is used, so I have reduced the score in two places for ineffective implementations of Content-Security-Policy.
Sites can apparently request exemption from SSL Labs scanning; Citibank has done this so I will reduce their SSL Labs score to an F.
Before I started I assumed that DMARC would be pretty much pass/fail but Bank of American interestingly had it set to quarantine for all subdomains but not for their root bankofamerica.com domain where they actually send email from, I’ll give them a D.
It is shocking to me that so few banks support two factor authentication in any form for consumers.
In the end the results show that nobody is perfect but Chase Bank and USAA stand above the rest. Although this is not a wholistic review of the security programs at these banks, these outward facing security policies give us a window into how these banks value customer security.