Critical Vulnerabilities Plague Online FIs & Mobile Banking Apps

Two thirds of online financial institutions have at least one critical vulnerability, and half of mobile banking applications contain critical vulnerabilities, according to a Positive Technologies’ “The Financial Application Vulnerabilities Report.”

Positive Technologies, a global enterprise security firm, in announcing the findings of its annual report on the state of e-banking security., drawn from audits performed by the company, also revealed the percentage of critical vulnerabilities is falling each year. For example, high-risk vulnerabilities, which stood at 90% of systems in 2015; fell to 71 percent in 2016; dropped further to 56% in 2017. Despite this encouraging trend, security shortcomings remain a menace for financial institutions and accountholders.

Each e-banking system analyzed in 2017 contained, on average, seven vulnerabilities; up from six in 2016. High- and medium-risk vulnerabilities made up a smaller portion, only a third of online banks were free of critical vulnerabilities in 2017, whereas in 2016 all financial web applications (except one) had at least one.

The most common online bank vulnerabilities in 2017 were cross-site scripting (75% of systems), which allows attackers to insert client-side scripts into web pages viewed by other users and bypass access controls; and poor protection from data interception (69%), which opens to door to attacks such as reading cookie values or stealing customer credentials. Over half of online financial institutions (63%) had “insufficient authorization,” a critical vulnerability that enables attackers to obtain unauthorized access to web application functionality intended for privileged users.

Ultimately, 94% percent of online financial institutions had vulnerabilities that criminals could use to obtain sensitive banking records and personal information.

“While 2017 brings hope that banking applications may become secure in the future, they still have a long, long way to go,” Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies said. “We’ve seen many positive, across-the-board improvements in the security of both online, as well as mobile banking applications. But, the bottom line is that clients’ personal information—not to mention the bank’s money—is still at risk.”

Galloway added: “In 13 percent of applications, we found arbitrary code execution vulnerabilities, which a hacker can exploit to gain full control over a bank’s server, with resulting reputational damage and financial losses for the bank. This is concerning.”

The situation with mobile banking apps is similar. Forty-eight percent of mobile banking apps still contained at least one critical vulnerability. In 52% of cases, attackers could exploit vulnerabilities to decrypt, intercept, or brute force attack accounts to access the mobile app or bypass authentication entirely, effectively giving the attacker control over a legitimate user’s account.

But, the proportion of total vulnerabilities fell year over year. This for both high-risk (29% vs. 32% in 2016) and medium-risk vulnerabilities (56% vs. 60% in 2016). Low-risk vulnerabilities became more dominant because of companies prioritizing fixes for critical vulnerabilities.

On average, iOS apps appear better protected than Android, even when created by the same financial institution. High-risk vulnerabilities on iOS accounted for only 25% of total vulnerabilities, compared to 56% on Android. In some cases, the iOS mobile app was free of vulnerabilities found present in the corresponding Android app.

In 2016, in-house applications contained half the number of vulnerabilities as commercially available platforms. However, in 2017 the situation reversed: out-of-the-box solutions contained fewer critical vulnerabilities. Vendors have started to pay more attention to security, whereas financial institutions still lack experienced developers and well-implemented secure software development lifecycle processes.

In addition to analyzing the security of applications, which almost all financial institutions do regularly, Positive Technologies’ experts also recommended auditing application source code. Such audits are necessary, even for vendor-provided systems as vulnerabilities, which can arise in the process of deployment or simple configurations. Preventive measures, such as a web application firewall, are necessary to provide temporary protections against exploitation of vulnerabilities until fixed. Financial institutions must conduct ongoing security effectiveness checks as part of their remediation processes.

For financial organizations that write their own apps, Positive Technologies suggested the key is to pay more attention to security at early stages and continue doing so throughout the process of design, requirements setting, and development.