Vulnerability Management

Two-thirds of online banking systems in 2017 contained high-risk vulnerabilities

Over the years, governments and cyber security experts have repeatedly urged businesses and critical industries to strengthen their cyber-defences to keep up with emerging threats and to ensure the security of enterprise and customer data.

While cyber-criminals have spared no industry in their quest for financial gain or to destabilise economies, online banking systems were, and still are, prime targets for such entities as any security flaw can be exploited to impact hundreds of thousands of people and to gain access to millions, if not billions, of pounds.

In 2015, a time when banks were swiftly adopting new digital technologies, introducing online banking services and shutting down brick-and-mortar branches with a vengeance, little heed was paid to how weak those newly-introduced online systems were vis-a-vis the capabilities of motivated cyber-criminals.

According to Positive Technologies, 90 percent of online banking systems were found to contain high-risk critical vulnerabilities in 2015. This number had, in fact, increased remarkably from 78 percent of such systems in 2013-14, implying that the adoption of digital tools also made banks more vulnerable to threats such as SQL injections, unauthorised access to arbitrary user operations, and rounding attacks.

At the same time, online banking apps, which customers were asked to download to seamlessly access banking services and products, were equally vulnerable to online threats. In 2015, 75 percent of banking apps on Android contained high-risk vulnerabilities compared to 33 percent of iOS apps.

Positive Technologies' report indicates that UK banks have taken measures to plug security holes in their online banking systems and apps and as a result, such systems are not as vulnerable to external threats as they were a couple of years ago.

For instance, compared to 90 percent in 2015, 56 percent of banking systems were found to contain high-risk vulnerabilities in 2017 and on an average, each web application contained 1.3 high-severity vulnerabilities compared to 4.2 in 2015. Despite such improvements, each e-banking system analysed in 2017 contained, on average, seven vulnerabilities, up from six in 2016, implying that banks focussed more in plugging the critical ones before shifting their focus to medium or low-risk flaws.

The report revealed that not a single banking system could demonstrate the absence of low-risk, medium-risk or high-risk vulnerabilities, that almost half (45 percent) of such systems contained medium-risk vulnerabilities and only a third of online banking systems were free of critical vulnerabilities in 2017.

A break-up of vulnerabilities impacting the security of online banking systems revealed that 75 percent of these systems contained cross-site scripting flaws, 69 percent had insufficient protection from data interception, 63 percent had insufficient authorisation (high-risk), 50 percent were vulnerable to sensitive data disclosure, and 31 percent were vulnerable to software version disclosure. Other vulnerabilities included insufficient protection from brute-force attacks and insufficient process validation.

Considering only high-severity vulnerabilities in 2017, 63 percent of banking systems suffered from insufficient authorisation compared to 57 percent in 2016, 25 percent had two-factor authentication flaws compared to 71 percent in 2016, 19 percent had insufficient process validation compared to 14 percent in 2016, and 13 percent were vulnerable to arbitrary code execution compared to 14 percent in 2016.

A look at the security of web applications run by UK banks revealed a worrisome picture. 94 percent of them were vulnerable to unauthorised access to client personal information and confidential banking data, 75 percent were vulnerable to access to sensitive information and configuration data, 50 percent were vulnerable to fraudulent transactions and theft of funds, and 31 percent were vulnerable to DDoS attacks on user accounts.

The overall security of mobile banking apps wasn't much different to that of online systems, with 29 percent of all vulnerabilities being critical ones, 56 percent medium-risk and the rest of them being low-risk ones. In all, almost half (48 percent) of mobile banking apps had at least one critical vulnerability.

Positive Technologies found that iOS apps were comparatively less vulnerable compared to Android apps and server-side applications. While 63 percent of server-side apps and 56 percent of Android banking apps contained critical flaws, only 25 percent of iOS apps contained such flaws. However, iOS apps featured more medium-risk flaws (63 percent) compared to Android (44 percent), and server-side apps (12 percent).

The most common vulnerabilities found on the client side of mobile banking apps were insufficient protection from brute-force attacks (65 percent), insecure data storage (65 percent), arbitrary code execution (29 percent), insecure data transfer (12 percent), and insecure interprocess communication ( six percent), the last three being critical ones.

If an intruder manages to exploit the arbitrary code execution flaw, "the intruder can obtain full control over the server; execute arbitrary code; read, delete, or change files on the server; escalate privileges, or cause denial of service. Such malicious actions can cause enormous damage to banks' reputation and bottom line," the firm warned.

Commenting on the findings of the report, Don Duncan, director at NuData Security, told SC Magazine UK that because of the omnichannel experience, cyber-criminals can jump to and from web and mobile applications, looking for the path of least resistance to commit fraud. This is the biggest risk point today, much more than desktop.

"While fewer critical vulnerabilities is good news, this doesn't mean customer accounts are protected. All the exposed data –  due to the endless breaches – makes it easier to find working username and password combinations. Today, a fraudster doesn't need to break a system to access sensitive data. Most of the attacks' objective is to reach sensitive data they can profit from. Bad actors can easily get their hands on the customer data that breaches make available.

"One way for financial institutions to protect their customers' accounts – and, in turn, their business – is to implement security tools that don't rely on the data provided by the customer," he said.

He added that multi-layered solutions that include passive biometrics should help banks offer enhanced protection. Passive biometrics can monitor the user's inherent behaviour such as how they type or hold the device and create profiles which will be impossible to replicate by fraudsters.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.