Bacs corporate website still runs obsolete crypto

UK banking organisation Bacs is running a cryptographically obsolete website despite telling everyone else to upgrade before a June deadline.

Earlier this week Bacs reminded UK businesses to update their systems and adopt SHA-2 before mid-June in order to avoid losing access to vital payment and money transfer services. Failure to change before a 13 June deadline will leave merchants unable to use Bacs Payment Schemes Limited (Bacs) to make salary or supplier payments or to collect by direct debit, as previously reported.

Support for obsolete protocols will be dropped by Bacs from mid June, consistent with changes been pushed by browser-makers and other IT firms to build a more secure web. Bacs has been pushing the move for some time, despite the fact that its own bacs.co.uk website is still hopelessly insecure, as evidenced here. Qualys SSL Labs rates the site as a straight F.

Reg reader Rob L, to whom we are grateful for bringing the issue to our attention, described the BACS website as “being the worst I’ve seen”.

Harsh, but perhaps fair: SSLv2 supported, SSLv3 supported, RC4 MD5 supported, DES MD5 supported but TLS 1.2 is disabled despite being supported by the OS.

Not good.

In response to queries from El Reg on the matter, a Bacs spokesman acknowledged the issue but said that changes were in hand and would be in place before the mid-June deadline.

The Bacs corporate website is being refreshed at the moment and when the new version goes live (which will be before 13 June), those new standards will be in place. Our two other public facing websites have already been migrated to the new standards - directdebit.co.uk and simplerworld.co.uk.

The spokesman added, contrary to what we initially reported in our earlier story that Bacs had only just set a deadline for crypto upgrades, that the banking organisation has been “communicating regularly through digital ads, regular ecomms, articles in trade media, support of business shows and speaking events, all over the last year - on top of the latest press release”.

He added: "Our secure portals (those from which our payment schemes are accessed) have already been upgraded - as you'd expect, these were our priority - and these will be made even more secure on 13 June, with the implementation of the changes we have outlined. This is some six months ahead of the timeline set out by the internet community.

"The remaining websites are simply information sites with no access to our payment services. Two out of the three information-only sites have already been upgraded, and the remaining site will go live shortly with the upgraded standards in place." ®