Online banking security improves but only a third are free of critical vulnerabilities
The percentage of critical vulnerabilities in online banking systems is falling, but two thirds still contain at least one critical vulnerability according to a new report.
Enterprise security specialist Positive Technologies has released its Financial Application Vulnerabilities Report, drawn from audits performed by the company.
It finds each eBanking system analyzed in 2017 contained, on average, seven vulnerabilities, up from six in 2016. However, high- and medium-risk vulnerabilities made up a smaller portion. Even so only a third of online banks were free of critical vulnerabilities in 2017, whereas in 2016 all financial web applications (except one) had at least one.
The most common online bank vulnerabilities in 2017 are cross-site scripting (75 percent of systems) and poor protection from data interception (69 percent), allowing attacks such as reading cookie values or stealing customer credentials. Over half of online banks (63 percent) had 'insufficient authorization', a critical vulnerability that enables an attacker to obtain unauthorized access to web application functionality intended for privileged users.
Mobile banking apps show a similar picture. Almost half (48 percent) of mobile banking apps still contained at least one critical vulnerability. In 52 percent of cases, attackers could exploit vulnerabilities to decrypt, intercept, or brute force accounts to access the mobile app or bypass authentication entirely. These actions would effectively give the attacker total control over the account of a legitimate user.
There's good news though in that here too, the proportion of total vulnerabilities has fallen year on year. This for both high-risk (29 percent compared to 32 percent in 2016) and medium-risk vulnerabilities (56 percent as against 60 percent in 2016). Low-risk vulnerabilities became more dominant as a result of companies prioritizing fixes for critical vulnerabilities.
On average, iOS apps are better protected than Android, even when created by the same bank. High-risk vulnerabilities on iOS accounted for only 25 percent of total vulnerabilities, compared to 56 percent on Android. In some cases, the iOS mobile app was free of vulnerabilities that were found present in the corresponding Android app.
"While 2017 brings hope that banking applications may actually become secure in the future, they still have a long, long way to go," says Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies. "We've seen many positive, across-the-board improvements in the security of both online, as well as mobile, banking applications. But, the bottom line is that clients’ personal information -- not to mention the bank’s money -- is still at risk."
The full report is available to download from the Positive Technologies website.