The percentage of critical vulnerabilities in online banks is falling each year, it’s claimed. According to Positive Technologies’ Financial Application Vulnerabilities Report, drawn from audits performed by the company, high-risk vulnerabilities were found on 90 percent of systems in 2015; by 2016, this number dropped to 71 percent; and, in 2017 it dropped further to 56 percent. Despite this encouraging trend, security shortcomings remain a menace for banks and clients, the software firm says.
Ultimately, 94 percent of online banks had vulnerabilities that criminals could use to obtain sensitive banking records and personal information.
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies, said: “While 2017 brings hope that banking applications may actually become secure in the future, they still have a long, long way to go. We’ve seen many positive, across-the-board improvements in the security of both online, as well as mobile, banking applications. But, the bottom line is that clients’ personal information—not to mention the bank’s money—is still at risk.
“In 13 percent of applications, we found Arbitrary Code Execution vulnerabilities, which a hacker can exploit to gain full control over a bank’s server, with resulting reputational damage and financial losses for the bank. This is concerning.”
Almost half (48pc) of mobile banking apps still contained at least one critical vulnerability. In 52 percent of cases, attackers could exploit vulnerabilities to decrypt, intercept, or bruteforce accounts to access the mobile app or bypass authentication entirely. These actions would effectively give the attacker total control over the account of a legitimate user, according to the company.
Download the full report at https://www.ptsecurity.com/ww-en/premium/fin-vulnerabilities-2018/.
Comment
Don Duncan, director at NuData Security, a Mastercard Company, said: “Thanks to the omnichannel experience, users can jump to and from web and mobile applications. But fraudsters can do the same, looking for the path of least resistance to commit fraud, which is why now mobile fraud is growing. More than 50pc of the account takeover attacks across NuData clients come in via native apps and enterprise APIs. This is the biggest risk point today, much more than desktop. While fewer critical vulnerabilities is good news, this doesn’t mean customer accounts are protected. All the exposed data – due to the endless breaches – makes it easier to find working username and password combinations. Today, a fraudster doesn’t need to break a system to access sensitive data. Most of the attacks’ objective is to reach sensitive data they can profit from. Bad actors can easily get their hands on the customer data that breaches make available.
“One way for financial institutions to protect their customers’ accounts – and, in turn, their business – is to implement security tools that don’t rely on the data provided by the customer. Multi-layered solutions that include passive biometrics are providing enhanced account protection that doesn’t rely on static data. Passive biometrics monitors the user’s inherent behaviour such as how they type or hold the device – making this information impossible to steal or replicate by bad actors. This way, even if the static data has been stolen, decrypted, and ready to be used, bad actors can’t take over the account.”
