An analysis of the most common website attacks affecting the world’s biggest banks, turned up concerning evidence that a common coding flaw remains an easy entry point for attackers.
A Swiss penetration testing firm, High-Tech Bridge, analyzed publicly reported incidents affecting major websites for banks, and found that, over the last 10 years, cross-site scripting (XSS) vulnerabilities accounted for 80 percent of security incidents.
A common XSS attack method might involve a hacker using code injections to steal visitors’ data, like cookies, or manipulating what victims see to trick them into inputting sensitive personal or financial information.
In the experiment, High-Tech Bridge used a list of the world’s 50 “biggest banks” in 2012 (as determined by Global Finance magazine) and dug up public attack reports posted on security and hacking sites or online archives for XSS attacks and site defacements.
Financial institutions on the list included Bank of America, HSBC, Barclays, JPMorgan Chase, Wells Fargo, Bank of Montreal, and number of other major banks throughout the globe.
Out of 102 reported incidents, that occurred between 2003 to present, High-Tech Bridge found that Bank of America had the most public reports of security issues affecting its site.
Between 2007 and 2010, Bank of America sustained 12 publicly reported website attacks, the firm revealed. Of the 12 security incidents, 11 were XSS attacks.
The firm only noted two publicly reported website compromises in 2013 – at Bank of Brazil and Standard Chartered, a U.K.-based bank.
On Thursday, IIia Kolochenko, CEO at High-Tech Bridge, told SCMagazine.com that the absence of recent reports on bank site attacks are not for a lack of them occurring. Instead, they showcase a change in attackers’ motives in targeting financial institutions.
Over the years, attacks have become more malicious, as opposed to hackers carrying out the exploits “for fun or glory,” he explained.
“Hackers today are compromising [banking sites] even more often than before, but it’s just that they do not expose it to the public,” Kolochenko said, later adding that saboteurs wish to stay under the radar, since they “are doing it for profit now.”
Early this year, London-based cloud security firm FireHost found that XSS attacks rose more than 160 percent in the U.S. and Europe between the third and fourth quarter of 2012 alone. During the time frame, XSS attacks blocked by FireHost’s servers increased from more than one million to 2.6 million, outpacing all of the common web attack vectors, including SQL injection.