Two-thirds of online banking systems contain critical vulnerabilities
Threats / Two-thirds of online banking systems contain critical vulnerabilities: Report
24 April 2018
Even though high risk vulnerabilities in online banking systems went down from 90 percent in 2015 to 56 percent in 2017, two-thirds of online banking systems still contain at least one critical vulnerability, a report from Positive Technologies has revealed.
This revelation comes not long after researchers at the University of Birmingham discovered critical flaws in several banking apps that allowed attackers to conduct man-in-the-middle attacks and steal credentials of millions of users.
The flaw was observed in as many as 9 popular banking apps including those of Bank of America, Meezan Bank, HSBC, Smile Bank and VPN provider TunnelBear. All of these firms patched their respective vulnerabilities before the publication of the report.
Online banking systems a lot more secure than in 2015
According to the new Financial Application Vulnerabilities Report from Positive Technologies, online banking systems are now much more secure than they were in 2015 when only one in ten banking systems were considered secure enough to resist cyber attacks.
However, despite improvements, two-thirds of online banking systems still contain at least one critical vulnerability that can be exploited by hackers either for financial gain or to create chaos and instability. In 2017, researchers found that Cross-Site Scripting was the most common critical vulnerability and was found in 75 percent of all online banking systems.
At the same time, while 69 percent of such systems demonstrated poor protection from data interception, thereby allowing attackers to steal user credentials and read cookie values, 63 percent of them had insufficient authorisation protocols that allowed attackers to obtain unauthorized access to web application functionality.
“While 2017 brings hope that banking applications may actually become secure in the future, they still have a long, long way to go. We’ve seen many positive, across-the-board improvements in the security of both online, as well as mobile, banking applications. But, the bottom line is that clients’ personal information—not to mention the bank’s money—is still at risk,” said Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies.
“In 13 percent of applications, we found Arbitrary Code Execution vulnerabilities, which a hacker can exploit to gain full control over a bank’s server, with resulting reputational damage and financial losses for the bank. This is concerning,” he added.
Banking apps still far from secure
Positive Technologies also found that in 2017, 48 percent of mobile banking apps contained at least one critical vulnerability that allowed attackers to “decrypt, intercept, or bruteforce accounts to access the mobile app or bypass authentication entirely”.
Even though high-risk vulnerabilities in banking apps went down from 32 percent in 2016 to 29 percent in 2017 and medium-risk vulnerabilities in such applications went down from 60 percent in 2016 to 56 percent in 2017, the reduction is merely incremental and a lot more work needs to be done to secure all banking applications with the latest security protocols and cyber defences.
Commenting on the report from Positive Technologies, Don Duncan, director at NuData Security, told TEISS News that despite improvements in security around banking systems and apps, more than 50 percent of the account takeover attacks across NuData clients came in via native apps and enterprise APIs.
“While fewer critical vulnerabilities is good news, this doesn’t mean customer accounts are protected. All the exposed data – due to the endless breaches – makes it easier to find working username and password combinations. Today, a fraudster doesn’t need to break a system to access sensitive data. Most of the attacks’ objective is to reach sensitive data they can profit from. Bad actors can easily get their hands on the customer data that breaches make available.
One way for financial institutions to protect their customers’ accounts – and, in turn, their business – is to implement security tools that don’t rely on the data provided by the customer,” he said.
Duncan added that banks should implement multi-layered solutions including passive biometrics to provide enhanced account protection. If the use of passive biometrics ensures the monitoring of user behaviour, it will be hard for attackers to replicate user behaviour or to impersonate them while carrying out online attacks.
“This way, even if the static data has been stolen, decrypted, and ready to be used, bad actors can’t take over the account,” he added.