-optimized.jpg){kind=avatar}
The percentage of critical vulnerabilities in online banks is falling each year, it’s claimed. According to Positive Technologies’ Financial Application Vulnerabilities Report, drawn from audits performed by the company, high-risk vulnerabilities were found on 90 percent of systems in 2015; by 2016, this number dropped to 71 percent; and, in 2017 it dropped further to 56 percent. Despite this encouraging trend, security shortcomings remain a menace for banks and clients, the software firm says.
Ultimately, 94 percent of online banks had vulnerabilities that criminals could use to obtain sensitive banking records and personal information.
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies, said: “While 2017 brings hope that banking applications may actually become secure in the future, they still have a long, long way to go. Weโve seen many positive, across-the-board improvements in the security of both online, as well as mobile, banking applications. But, the bottom line is that clientsโ personal informationโnot to mention the bankโs moneyโis still at risk.
โIn 13 percent of applications, we found Arbitrary Code Execution vulnerabilities, which a hacker can exploit to gain full control over a bank’s server, with resulting reputational damage and financial losses for the bank. This is concerning.”
Almost half (48pc) of mobile banking apps still contained at least one critical vulnerability. In 52 percent of cases, attackers could exploit vulnerabilities to decrypt, intercept, or bruteforce accounts to access the mobile app or bypass authentication entirely. These actions would effectively give the attacker total control over the account of a legitimate user, according to the company.
Download the full report at https://www.ptsecurity.com/ww-en/premium/fin-vulnerabilities-2018/.
Comment
Don Duncan, director at NuData Security, a Mastercard Company, said: โThanks to the omnichannel experience, users can jump to and from web and mobile applications. But fraudsters can do the same, looking for the path of least resistance to commit fraud, which is why now mobile fraud is growing. More than 50pc of the account takeover attacks across NuData clients come in via native apps and enterprise APIs. This is the biggest risk point today, much more than desktop. While fewer critical vulnerabilities is good news, this doesnโt mean customer accounts are protected. All the exposed data โ due to the endless breaches โ makes it easier to find working username and password combinations. Today, a fraudster doesnโt need to break a system to access sensitive data. Most of the attacksโ objective is to reach sensitive data they can profit from. Bad actors can easily get their hands on the customer data that breaches make available.
“One way for financial institutions to protect their customersโ accounts โ and, in turn, their business โ is to implement security tools that donโt rely on the data provided by the customer. Multi-layered solutions that include passive biometrics are providing enhanced account protection that doesnโt rely on static data. Passive biometrics monitors the userโs inherent behaviour such as how they type or hold the device โ making this information impossible to steal or replicate by bad actors. This way, even if the static data has been stolen, decrypted, and ready to be used, bad actors canโt take over the account.โ
