Two thirds of online banks still have at least one critical vulnerability: report
- Published: Tuesday, 01 May 2018 08:47
Positive Technologies has published the findings of its annual report on the state of e-banking security. The Financial Application Vulnerabilities Report, drawn from audits performed by the company, finds that two thirds of online banking systems still contain at least one critical vulnerability.
The good news is that the percentage of critical vulnerabilities is falling. High risk vulnerabilities were found on 90 percent of systems in 2015; by 2016, this number dropped to 71 percent; and, in 2017 it dropped further to 56 percent.
Despite this encouraging trend, security shortcomings remain a menace for banks and clients. Each e-banking system analyzed in 2017 contained, on average, seven vulnerabilities; this was up from six in 2016. However, high- and medium-risk vulnerabilities made up a smaller portion.
The most common online bank vulnerabilities in 2017 were Cross-Site Scripting (75 percent of systems) and poor protection from data interception (69 percent), allowing attacks such as reading cookie values or stealing customer credentials. Over half of online banks (63 percent) had ‘insufficient authorization’, a critical vulnerability that enables an attacker to obtain unauthorized access to web application functionality intended for privileged users.
Ultimately, 94 percent of online banks had vulnerabilities that criminals could use to obtain sensitive banking records and personal information.
Half of mobile banking applications contain critical vulnerabilities
The situation with mobile banking apps is similar. Almost half (48 percent) of mobile banking apps still contained at least one critical vulnerability. In 52 percent of cases, attackers could exploit vulnerabilities to decrypt, intercept, or bruteforce accounts to access the mobile app or bypass authentication entirely. These actions would effectively give the attacker total control over the account of a legitimate user.
That’s the bad news. But, as with e-banking apps, there’s good news in that here as well, the proportion of total vulnerabilities fell year over year. This for both high-risk (29 percent vs. 32 percent in 2016) and medium-risk vulnerabilities (56 percent vs. 60 percent in 2016). Low-risk vulnerabilities became more dominant as a result of companies prioritizing fixes for critical vulnerabilities.
On average but perhaps unsurprisingly, iOS apps are better protected than Android, even when created by the same bank. High-risk vulnerabilities on iOS accounted for only 25 percent of total vulnerabilities, compared to 56 percent on Android. In some cases, the iOS mobile app was free of vulnerabilities that were found present in the corresponding Android app.
Systems developed by vendors have become safer
In 2016, in-house applications contained half the number of vulnerabilities as commercially available platforms. However, in 2017 the situation reversed: out-of-the-box solutions actually contained fewer critical vulnerabilities. Vendors have started to pay more attention to security, whereas banks still lack experienced developers and well-implemented Secure Software Development Lifecycle processes.
In addition to analyzing the security of applications, which almost all banks do regularly, Positive Technologies’ experts also recommend auditing application source code. Such audits are necessary, even for vendor-provided systems as vulnerabilities can arise in the process of deployment or simple configurations. Preventive measures, such as a web application firewall, are necessary to provide temporary protections against exploitation of vulnerabilities until they can be fixed. And, banks must conduct ongoing security effectiveness checks as part of their remediation processes.
For companies that write their own financial applications in-house, the key is to pay more attention to security at early stages and continue doing so throughout the process of design, requirements setting, and development.
For additional details, download the full report here.