Who can you really bank on?

Those who rely on their online bank to keep their money safe might be alarmed to hear that last year 54% of these institutions allowed attackers to steal money. And their customer data may be equally at risk

In its recent report, 'Vulnerabilities in online banking applications', Positive Technologies' experts assessed the security levels of online banks in 2018 and found that 54% allowed attackers to steal money. Equally concerning is that all online banks carry the risk of unauthorised access to personal data and other sensitive information, according to the findings.

The analysis shows that most online banks are worryingly exposed. "A security assessment of online banks revealed that every reviewed system contained vulnerabilities that could have major consequences if exploited. For instance, fraudulent transactions and theft of funds were possible in 54 per cent of applications," says the company.

Threat of unauthorised access to client information and company sensitive information, such as account statements or the payment orders of other users, was present in every studied online bank, and, in some cases, vulnerabilities allowed hackers to attack the bank's corporate network.

According to Positive Technologies' experts, the average cost of the data of an online banking user on the dark web is $22. Additionally, analysis showed that 77% of online banks had security flaws in their two-factor authentication mechanisms.

Positive Technologies' cybersecurity resilience lead Leigh-Anne Galloway comments that some online banks do not use one-time passwords for critical operations (such as authentication) or allow old passwords, which are more likely to be compromised. Experts believe this is because banks want to strike the right balance between security and comfort of use.

"Foregoing security measures in favour of customer convenience increases the risk of fraud," she states. "If there's no need to confirm a transaction with a one-time password, the attacker no longer requires access to the victim's smartphone, and an old password increases the chances of it being brute forced. With no limit applied to it, a one-time password of four symbols can be cracked within two minutes."

READY-MADE PROVES UNREADY
As well as issues of authentication, comparative analysis showed that ready-made solutions developed by vendors had three times fewer vulnerabilities than those developed in-house. The number of vulnerabilities in the test and production systems, on the other hand, is equal.

Statistics suggest that, in 2018, both types of systems in most cases contained at least one critical vulnerability. Experts think that, after developers have tested a security system once, they tend to postpone further analysis once changes hve been made to the code, causing vulnerabilities to 'accumulate'. This means that, before long, the number of flaws is the same as that found during initial testing.

The main positive trend to emerge regarding the security of online financial applications in 2018 was the reduction of high-risk vulnerabilities in the total number of all flaws identified. According to Positive Technologies' specialists, "the percentage of critical vulnerabilities dropped by more than half, compared to the previous year - from 32% in 2017 to 15% in 2018". However, the overall security level of online banks remains low - and that has to change fast.