Security policy

A friend of mine spotted that his bank claims to use “the highest security available” when actually they use ARC4 and 1024 bit RSA. He sent them this:

Dear HBOS security

I have recently received the below message in regard to your paper-free service. While the message was genuinely sent by yourselves, I do take issue (and most strongly so) with the statement that “You can access our paper-free service safe in the knowledge that it uses the highest level of security available.” In fact, your SSL security is bordering on outmoded; if you took security seriously then you would certainly use 128- or 256-bit AES (rather than ARC4) and 2048- or 4096-bit (rather than 1024-bit) RSA. I very much hope you already know that NIST will consider 1024-bit RSA (equivalent to an 80-bit symmetric key in terms of the effort required to break it) officially obsolete as of 2010, so I would certainly have expected that you would transition to 2048-bit or longer RSA keys by now, although I still hold out hope that you will finally do this before the new year is upon us. Until then, I would suggest that you do not allow misleading statements such as the below to be issued as regards your security provisions.

Yours faithfully
B S T

Having received no response after several weeks, he then sent them this:

Dear HBOS security

Since I sent the below message over a month ago, I have received no response but for an automated acknowledgement which has not been followed up. However, I have received another message seeking once again to inform me that you supposedly use the highest level of security available. With 2010 almost upon us, and with Christmas cheer in my heart, I decided to give you the benefit of the doubt and check to see if, in fact, you have at last dragged yourselves into the 21st Century as far as encryption algorithms are concerned. It was with disappointment, then, albeit little surprise, that I found no change since I had sent the previous e-mail. It is pertinent, although perhaps somewhat ironic, that even the Web-based interface through which I write this message is served along with DHE-RSA-AES256-SHA encryption.

Perhaps it was not clear enough to you lackwits the last time, but a viable security policy consists in practice of more than simply claiming that something is highly secure and hoping that nobody will notice otherwise. On the other hand, perhaps I should not have such high expectations of the competence of a bank that invested heavily in US mortgage-backed securities, which anyone with an ounce of common sense could see had been vastly overvalued due to a financial mania, and failed to make a sufficiently early exit from this market, with clearly disastrous consequences suffered as a result. If you insist on continuing to pursue these games of brinkmanship not only in your financial dealings (alas, supposedly your primary competency) but also in respect of basic consumer protection such as website security, then perhaps I shall be better off to take advantage of the recent market corrections to withdraw all but a nominal sum from my current account and make sounder investments by acquiring additional gold, silver, and foreign currency instead.

Yours, with much disdain
B S T

He has yet to receive a response, but we shall see what they say in the end.