Steward Bank wants to be most internet friendly bank. Our security concerns

L.S.M Kabweza Avatar

steward-logoSo we moan and complain all the time about banks not making full use of this amazing platform called the internet. Some banks have generally deliberately shied away from it and even deny their customers this convenience sometimes. Crazy yes, but the reality in these parts.

Anyway, we were pointed yesterday to the new Steward Bank site and honestly it looks like they are on their way to providing some real internet convenience on the banking front. It’s too early to say just how big they want to go changing the status quo, but the signs are there we may see a big change led by them on the market if they don’t bungle things up!

They have launched their website with two things that banks generally don’t have:

  • Online account application*
  • Online live chat with clients


And the completed application:


The online account application, we’re told by an executive at the bank, is just an easier way to submit the application before you go to the bank physically. Once submitted the team at Steward Bank will do pre-vetting and once they are done, call you in to a branch to submit the KYC documents and sign physical forms. That way, said the source, a customer walks out with their account opened. So yeah, online application that’s not so online and we’re guessing there’s no innovating around KYC!

The live chat facility is also quite cool because at least you can have all your questions answered without needing to visit a branch. Our experience chatting with an agent though is they didn’t quite seem to know what was going on. They apparently didn’t know the online account application was live. Memo hasn’t gone around maybe. 

The one thing that worried us is that the chat and generally the site itself is not on a secure server and for a banking site (yes, its not the online banking system itself) this is a big problem. We did check the source code and there’s no secure iframe embedded in there. Customers tend to not know these things and will likely share account login details with call center agents via chat. Actually some might try to log into this website with their online banking details, a situation unscrupulous hackers will find quite attractive! Our source says this is something they are working to fix.

The website runs on the Drupal content management system and the chat component is by a company called Kayako.

As for the online banking itself, the website says its coming soon so i guess we’ll have to wait. Our source at the company how ever says that wait will be about 2 weeks long.


  1. kthaker

    i generally feel more confident to see https being used on banking websites when they allow you to submit personal information online. there is a good reason to use it.. and unfortunately with most of the local banking websites in zim.. their IT department dont have a clue of why it is often seen as a minimum requirement in online security in this day and age

    1. tinonetic

      Beat me to it.SSL is a bare essential. Though it has been recently revealed its not that secure,its standard.

      1. kthaker

        well, ssl wont stop your site from being hacked.rather the main reason for it, is that it secures the connection between your computer.. and the bank website. so when i submit any data i.e username and password to log into internet banking .. no 3rd parties inbetween the webserver and myself can eavesdrop on that info.

        without ssl, a bank who allows online applications can have that data intercepted..or worst case, an attacker can even have you visit a fake website and make you believe that it is steward bank just to get your personal details..and you’d be non the wiser.. so yeah.. these people definitely are not serious…

  2. Farai Sairai

    If the website is not complete, do not launch it. Customers do not want a half baked product which will be used for trial purposes. When errors/mistakes occur, the customer is blamed. And loses at the same time. I agree with #kthaker, a secure website must be the standard for online banking.

    Also there is no bank that I know that allows you to open an account online and start transacting with out them verifying who you are.

    1. developer

      #waterfall vs #agile

    2. Mhof

      It’s not ‘Online account opening’
      It’s online account APPLICATION

  3. Observer

    I am a have been a TN Bank customer since 2011 and am quite disappointed with Steward.

    1. First, believe it or not it is a bank with no ATM/swipe cards not to mention other plastic card/money. You have to use the old queue to get your money and for over a year now every time one visits a branch you’re told “cards will be out very soon, we are working on a new system”. Instead they urge you to link your account to Ecocash.

    2. Then, I have been using online/internet banking for over 10 years with foreign banks and locally (e.g., CABS has had a robust online system since the Zim$ era.) but Steward has always also been saying “it’s coming very soon”. Although I congratulate them for finally coming up with a useful website (the old one – which used to say designed by one Tawanda – had static pages with dead links) it is very disappointing the site still says “”Online Banking Coming Soon.” Surely, how many years waiting for such an essential service? Me thinks these guys don’t have the capacity to implement this service. Instead of rushing to use the site to retail expensive gadgets please first make it operationable in order to offer us the customers the core service.

  4. lon

    There is more to securing Internet based Web Apps. I am not sure how far these guys have gone to ensure a multi-tier security architecture on their site. My only fear is the lack of understanding of security in the banks IT team and the guys who developed their website. I wont be surprised that they do not even have a Web Application Firewall in place and a merely depending on SSL. SSL is not a silver bullet to web app security.
    Security of this site is meager and should be improved at this levels:
    -Code (Session, Cookies, Request Handling, XSS, XRFS, Traversals attcks etc)
    -Web App Infrastructure and Server Configs…..Harden and Patch your 5**T
    -Do they Have any DDOS Protection or IPS in place
    -What about Security Events Monitoring and reporting , plus the skilled people to deal with real time security attacks to their site
    -Did anybody perform a full swing Penetration testing before the site went live.

    So its time these big companies esp Econet and it’s subsidiaries take security seriously.

  5. HapanaDhiri

    Its actually common practice worldwide to make an online application then present your ID in person. @techzim how else would you verify someone’s identity online??

    1. lon

      there are many ways available world wide for online digital identity verification and checking. Zim and Africa are still decades from catching up on this.

      1. HapanaDhiri

        I would be interested to know one of the ways you can digitally verify who someone claims to be who they are without them being physically there.

        1. lon

          @HapanaDhiri, most of the western countries have created national identity databases through a central delegated CA. The CA is then used by companies, banks etc as a central point to verify identities. Places like Canada, NZ etc are already doing that. Refer to the link below:

  6. Pindile Mhandu

    Thanks to TZ the website now says HTTPS. Steward should hijack some people who made the FNB website and get them to come work there.

    1. kthaker

      lol yeah i actually noticed the https site a few minutes ago. nice to know that TZ and some people’s opinions can have a decent impact in zim. 😀

    2. Dan

      That said, they still haven’t properly locked down the protocols, ciphers and hashes per best practices. I have done a lot of work in the financial industry overseas and industry specific compliance standards such as PCI DSS and FIPS 140 require this.

      They have disabled SSL 2 which is good due to known faults. Unfortunately they haven’t enabled TLS 1.1 and 1.2 which many current browser versions now support (even IE 11!) due to recent weaknesses exposed in SSL 3 and its derivative TLS 1.0. A quick check also shows that they have NOT mitigated any BEAST attack risks server-side. Coupled with the fact that their site has insecure content/unauthenticated scripts – this is a very real threat.

      Finally, they allow ridiculously weak 56 bit ciphers. All modern browsers (and some pretty old ones) support 128 bit and so anything less than that should be disabled on the web server(s). Similarly, MD5 hash should be disabled as all modern browsers support the more secure SHA.

      1. lon

        @Dan, I agree with your views Spot on. SSL2 is out. My question is also to check how they implemented their encryption: is it end to end or point to point and does it apply both at the application and transport layers. Are there any points when they decrypt the traffic and if so, what mechanisms do they have to protect the data during this state. Do they also utilise Load Ba-lancers and WAF e.g. F5s to handle HHTPs stripping and re-tunneling.

        1. Pindile Mhandu

          I am hoping the Steward IT department is having a long look at your suggestions. Hopefully they could head hunt you down to do some fixes like how the pvt sector guys did with Obamacare.

          1. lon

            @Pindile..I hope so too that they do their job right else they will be a headline story just like this company called target in the US.


2023 © Techzim All rights reserved. Hosted By Cloud Unboxed