Application security at the 100 largest banks; 97 vulnerable to web & mobile attacks

News by SC Staff

Research by Immuniweb found 97 out of 100 largest banks are vulnerable to web and mobile attacks enabling hackers to steal sensitive data.

The application security market is predicted to exceed US$7 billion (£5.6 billion) by 2023 according to recent research by Forrester.

Immuniweb's recent research report into the sector looks at application security, privacy and compliance at the world largest financial institutions from the S&P Global list for 2019 and concludes security is lacking in several key areas across a wide range of organisations.

Several of the key findings from the report are reproduced here:

Compliance:

  • 85 e-banking web applications failed GDPR compliance test

  • 49 e-banking web applications failed PCI DSS compliance test.

  • 25 e-banking web applications are not protected by a Web Application Firewall

  • Security vulnerabilities:

    • Seven banking web applications contain known and exploitable vulnerabilities

    • The oldest unpatched vulnerability is known and publicly disclosed since 2011

    • 92 percent of mobile banking applications contain at least one medium-risk security vulnerability

    • 100 percent of the banks have security vulnerabilities or issues related to forgotten subdomains

    Diagram 1*: Number of banks by region

    The following external assets and applications were tested:

    Tested Assets

    Quantity

    Main websites ("www.")

    100

    Subdomains

    2366

    E-banking web applications

    102

    Mobile banking applications

    55

    Backend APIs of the mobile banking applications

    298

    Security, privacy and compliance tests covered:

    PCI DSS compliance testing covered Requirements 2.3, 4.1, 6.2, 6.5 and 6.6 of the most recent version (v.3.2.1) of the standard.GDPR compliance testing covered Article 5 Section 1, Article 5 Section 2, Article 6 Section 1, Article 6 Section 4(e), Article 7, Article 25 Section 1, Article 32 Section 1(a)(b)(d) and Article 35 Section 7(f) of the enacted regulation. Non-intrusive Software Composition Analysis (SCA) of Open Source Software (OSS) verified fingerprinted software versions for publicly disclosed vulnerabilities from OWASP Top 10 list.

    Website security

    Only three main websites out of 100 had the highest grades "A+" both for SSL encryption and website security:

    • www.credit-suisse.com (Switzerland)A+

    • www.danskebank.com (Denmark)A+

    • www.handelsbanken.se (Sweden)A+

    Below are website security grades for the main websites:

    Diagram 2: Website Security of Main Websites

    Grade

    Quantity

    Brief explanation 

    A+

    4

    No single issue or misconfiguration found

    A

    40

    Minuscule issues found or slightly insufficient security hardening

    B

    20

    Several minor issues or insufficient security hardening

    C

    31

    Security vulnerabilities or several serious misconfigurations found

    F

    5

    Exploitable and publicly known security vulnerabilities found

    Below are website security grades for the subdomains:

    Diagram 3: Website security of subdomains

    Grade

    Quantity

    Brief explanation 

    A+

    58

    No single issue or misconfiguration found

    A

    310

    Minuscule issues found or slightly insufficient security hardening

    B

    332

    Several minor issues or insufficient security hardening

    C

    1408

    Security vulnerabilities or several serious misconfigurations found

    F

    258

    Exploitable and publicly known security vulnerabilities found

    Below are website security grades for the e-banking web applications:

    Diagram 4: Website security of E-banking

    Grade

    Quantity

    Brief explanation 

    A+

    15

    No single issue or misconfiguration found

    A

    27

    Minuscule issues found or slightly insufficient security hardening

    B

    13

    Several minor issues or insufficient security hardening

    C

    40

    Security vulnerabilities or several serious misconfigurations found

    F

    7

    Exploitable and publicly known security vulnerabilities found

    SSL/TLS encryption security

    Below are SSL/TLS encryption security grades for the main websites:

    Diagram 5: SSL security of main websites

    Grade

    Quantity

    Brief explanation 

    A+

    25

    No single issue or misconfiguration found

    A

    54

    Minuscule issues found or slightly insufficient encryption hardening

    B

    7

    Several minor issues or insufficient encryption hardening

    C

    1

    Security vulnerabilities or several serious misconfigurations found

    F

    13

    No encryption, SSLv3 or exploitable security vulnerabilities found

    Below are SSL/TLS encryption security grades for the subdomains:

    Diagram 6: SSL Security of Subdomains

    Grade

    Quantity

    Brief explanation 

    A+

    354

    No single issue or misconfiguration found

    A

    1150

    Minuscule issues found or slightly insufficient encryption hardening

    B

    333

    Several minor issues or insufficient encryption hardening

    C

    174

    Security vulnerabilities or several serious misconfigurations found

    F

    355

    No encryption, SSLv3 or exploitable security vulnerabilities found

    Below are SSL/TLS encryption security grades for the e-banking web applications:

    Diagram 7: SSL security of E-banking

    Grade

    Quantity

    Brief explanation 

    A+

    29

    No single issue or misconfiguration found

    A

    50

    Minuscule issues found or slightly insufficient encryption hardening

    B

    15

    Several minor issues or insufficient encryption hardening

    C

    6

    Security vulnerabilities or several serious misconfigurations found

    F

    2

    No encryption, SSLv3 or exploitable security vulnerabilities found

    Phishing campaigns. The research also detected 29 active phishing campaigns targeting customers of the financial institutions. The most targeted banks are those below:

    Website

    Active Phishing Campaigns

    Total Phishing Campaigns

    jpmorganchase.com

    3

    227

    bankofamerica.com

    8

    179

    wellsfargo.com

    7

    185

    Phishing websites either spread banking malware aimed to steal e-banking credentials or provide fraudulent login forms aimed to steal victim’s credentials.Most of the malicious websites were hosted in the US.In addition there were about 6500 cyber-squatted domains of illicit, fraudulent or potentially deceptive nature. Over 32 percent of cyber-squatting websites are accessible via HTTPS connection with a valid SSL certificate.

    Most popular Certificate Authorities (CA) are:

    • Google Internet Authority G3 (47%)

    • COMODO RSA Domain Validation Secure Server CA (26%)

    • Let's Encrypt Authority X3 (9.7%)

    Over 80 percent of all squatted domains had at least one website, related to Bitcoin or other cryptocurrencies. Brand misuse also happens in social networks, mostly in Facebook and Twitter. 

    Ilia Kolochenko, CEO and founder of ImmuniWeb, offered the following advice: "Most of the data breaches involve insecure web or mobile apps,the importance of which is frequently underestimated by the future victims. Recent BA’s £183 million fine for a website databreach clearly illustrates the point. Application security frequently suffers a lot. Eventually, these companies become a low-hanging fruit for pragmatic and profit-oriented cyber-criminals.

    Recommendations from ImmuniWeb include:

    1. Consider implementing Gartner’s CARTA strategy to enhance your cyber-security strategy.

    2. Maintain a holistic and up2date inventory of assets located in your external attack surface, identify all software and its components used there, run actionable security scoring on it to enable threat-aware and risk-based remediation.

    3. Implement continuous security monitoring of your external attack surface, test your new code before and after deployment to production, start implementing DevSecOps approach to your application security.

    4.Consider leveraging Machine Learning and AI capacities to handle time-consuming and routine processes, freeing up your security personnel for more important tasks. 

    Suggested reading: "4 Practical Questions to Ask Before Investing in AI".

    *Diagram numbering as per original report.**Illustration by Jonathunder - Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=576599

    Find this article useful?

    Get more great articles like this in your inbox every lunchtime

    Video and interviews