Firm highlights top site attacks on world's biggest banks

Share this article:

An analysis of the most common website attacks affecting the world's biggest banks, turned up concerning evidence that a common coding flaw remains an easy entry point for attackers.

A Swiss penetration testing firm, High-Tech Bridge, analyzed publicly reported incidents affecting major websites for banks, and found that, over the last 10 years, cross-site scripting (XSS) vulnerabilities accounted for 80 percent of security incidents.

A common XSS attack method might involve a hacker using code injections to steal visitors' data, like cookies, or manipulating what victims see to trick them into inputting sensitive personal or financial information.

In the experiment, High-Tech Bridge used a list of the world's 50 “biggest banks” in 2012 (as determined by Global Finance magazine) and dug up public attack reports posted on security and hacking sites or online archives for XSS attacks and site defacements.

Financial institutions on the list included Bank of America, HSBC, Barclays, JPMorgan Chase, Wells Fargo, Bank of Montreal, and number of other major banks throughout the globe.

Out of 102 reported incidents, that occurred between 2003 to present, High-Tech Bridge found that Bank of America had the most public reports of security issues affecting its site.

Between 2007 and 2010, Bank of America sustained 12 publicly reported website attacks, the firm revealed. Of the 12 security incidents, 11 were XSS attacks.

The firm only noted two publicly reported website compromises in 2013 – at Bank of Brazil and Standard Chartered, a U.K.-based bank.

On Thursday, IIia Kolochenko, CEO at High-Tech Bridge, told SCMagazine.com that the absence of recent reports on bank site attacks are not for a lack of them occurring. Instead, they showcase a change in attackers' motives in targeting financial institutions.

Over the years, attacks have become more malicious, as opposed to hackers carrying out the exploits “for fun or glory,” he explained.

“Hackers today are compromising [banking sites] even more often than before, but it's just that they do not expose it to the public,” Kolochenko said, later adding that saboteurs wish to stay under the radar, since they “are doing it for profit now.”

Early this year, London-based cloud security firm FireHost found that XSS attacks rose more than 160 percent in the U.S. and Europe between the third and fourth quarter of 2012 alone. During the time frame, XSS attacks blocked by FireHost's servers increased from more than one million to 2.6 million, outpacing all of the common web attack vectors, including SQL injection.

Share this article:

Sign up to our newsletters

More in News

Rogue AV scammers find success with new tatics

Although the number of rogue anti-virus malware campaigns have decreased overall, the threat isn't totally gone, according to researchers at Microsoft.

Medical transcription provider settles data security charges

GMR Transcription Services in California agreed to settle FTC charges related to its security practices.

Researcher hacks network connected devices in own home

Researcher hacks network connected devices in own home

In his own home, a researcher was able to hack various network connected devices that are not computers and mobile phones.