In its recent report about the vulnerabilities in online banking applications, Positive Technologies experts assessed the security levels of online banks in 2018 and discovered that 54% allowed attackers to steal money. In addition to this, all online banks carry the risk of unauthorised access to personal data and other sensitive information.
The analysis by Positive Technologies experts shows that most online banks contain critical vulnerabilities. A security assessment of online banks revealed that every reviewed system contained vulnerabilities that could have major consequences if exploited. For instance, fraudulent transactions and theft of funds were possible in 54% of applications.
Threat of unauthorised access to client information and company sensitive information such as account statements or the payment orders of other users was present in every studied online bank and in some cases, vulnerabilities allowed hackers to attack the bank’s corporate network. According to Positive Technologies experts, the average cost of the data of an online banking user on the dark web is US$22.
Additionally, analysis showed that 77% of online banks had security flaws in their two-factor authentication mechanisms.
According to Positive Technologies’ cybersecurity resilience lead, Leigh-Anne Galloway, some online banks do not use one-time passwords for critical operations (such as authentication), or allow old passwords which are more likely to be compromised. Experts believe this is because banks want to strike the right balance between security and comfort of use.
“Foregoing security measures in favour of customer convenience increases the risk of fraud. If there’s no need to confirm a transaction with a one-time password, the attacker no longer requires access to the victim’s smartphone and an old password increases the chances of it being brute forced. With no limit applied to it, a one-time password of four symbols can be cracked within two minutes,” Galloway commented.
The vulnerabilities in online banks
As well as issues of authentication, comparative analysis showed that ready-made solutions developed by vendors had three times fewer vulnerabilities than those developed in-house.
The number of vulnerabilities in the test and production systems on the other hand, is equal. Statistics show that in 2018 both types of systems in most cases contained at least one critical vulnerability. Experts think that after developers have tested a security system once, they tend to postpone further analysis after changes are made to the code, causing vulnerabilities to ‘accumulate’. This means that before long, the number of flaws is the same as that found during initial testing. The main positive trend in the security of online financial applications in 2018 was the reduction of high-risk vulnerabilities in the total number of all flaws identified. According to Positive Technologies specialists, the percentage of critical vulnerabilities dropped by more than half compared to the previous year – from 32% in 2017, to 15% in 2018. However, the overall security level of online banks remains low.