Each e-banking system analyzed in 2017 contained, on average, seven vulnerabilities; this up from six in 2016. However, high- and medium-risk vulnerabilities made up a smaller portion, yet only a third of online banks were free of critical vulnerabilities in 2017, whereas in 2016 all financial web applications (except one) had at least one.
The most common online bank vulnerabilities in 2017 were Cross-Site Scripting (75% of systems) and poor protection from data interception (69%), allowing attacks such as reading cookie values or stealing customer credentials. Over half of online banks (63%) had “insufficient authorization,” a critical vulnerability that enables an attacker to obtain unauthorized access to web application functionality intended for privileged users.
Ultimately, 94 percent of online banks had vulnerabilities that criminals could use to obtain sensitive banking records and personal information.
"While 2017 brings hope that banking applications may actually become secure in the future, they still have a long, long way to go,” said Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies. “We’ve seen many positive, across-the-board improvements in the security of both online, as well as mobile, banking applications. But, the bottom line is that clients’ personal information—not to mention the bank’s money—is still at risk.”
Galloway added: “In 13 percent of applications, we found Arbitrary Code Execution vulnerabilities, which a hacker can exploit to gain full control over a bank's server, with resulting reputational damage and financial losses for the bank. This is concerning."
Half of mobile banking applications contain critical vulnerabilities
The situation with mobile banking apps is similar. Almost half (48%) of mobile banking apps still contained at least one critical vulnerability. In 52 percent of cases, attackers could exploit vulnerabilities to decrypt, intercept, or bruteforce accounts to access the mobile app or bypass authentication entirely. These actions would effectively give the attacker total control over the account of a legitimate user.
That’s the bad news. But, as with e-banking apps, there’s good news in that here as well, the proportion of total vulnerabilities fell year over year. This for both high-risk (29% vs. 32% in 2016) and medium-risk vulnerabilities (56% vs. 60% in 2016). Low-risk vulnerabilities became more dominant as a result of companies prioritizing fixes for critical vulnerabilities.
On average but perhaps unsurprisingly, iOS apps are better protected than Android, even when created by the same bank. High-risk vulnerabilities on iOS accounted for only 25 percent of total vulnerabilities, compared to 56 percent on Android. In some cases, the iOS mobile app was free of vulnerabilities that were found present in the corresponding Android app.
Systems developed by vendors have become safer
In 2016, in-house applications contained half the number of vulnerabilities as commercially available platforms. However, in 2017 the situation reversed: out-of-the-box solutions actually contained fewer critical vulnerabilities. Vendors have started to pay more attention to security, whereas banks still lack experienced developers and well-implemented Secure Software Development Lifecycle processes.
In addition to analyzing the security of applications, which almost all banks do regularly, Positive Technologies’ experts also recommend auditing application source code. Such audits are necessary, even for vendor-provided systems as vulnerabilities can arise in the process of deployment or simple configurations. Preventive measures, such as a web application firewall, are necessary to provide temporary protections against exploitation of vulnerabilities until they can be fixed. And, banks must conduct ongoing security effectiveness checks as part of their remediation processes.
For companies that write their own financial applications in-house, the key is to pay more attention to security at early stages and continue doing so throughout the process of design, requirements setting, and development.