Banks are among the biggest profit-makers in the world and can afford the best in cybersecurity among private sector firms.
But security vendor ImmuniWeb says too many of the websites and mobile apps of the world’s biggest financial institutions have vulnerabilities when measured by the free version of its tools.
Among the highlights of the tests done against sites and apps of 100 institutions in 22 countries:
- Seven e-banking web applications had known and exploitable vulnerabilities;
- The oldest unpatched vulnerability found had been publicly disclosed since 2011;
- All of the banks had security vulnerabilities or issues related to forgotten subdomains;
- 85 e-banking web application failed ImmuniWeb’s GDPR compliance test;
- 49 e-banking web applications failed the test suite’s PCI DSS compliance test;
- 25 e-banking web applications weren’t protected by a Web Application Firewall.
- 92 per cent of 55 mobile banking applications tested contained at least one medium-risk security vulnerability, while 20 per cent contained at least one high-risk security vulnerability.
The report described these particular findings “disturbing”.
Overall the results led ImmuniWeb to conclude 97 per cent of the largest banks are vulnerable to web or mobile attacks.
The study, released Wednesday, shows “even the largest financial institutions do not have up-to-date holistic, comprehensive visibility across their assets,” said ImmuniWeb CEO Ilia Kolochenko. “In our experience financial institutions usually invest quite a bit of resources to maintain their cyber security compared to other industries.” But, he added, “in certain financial institutions we definitely observe a shift from practical cyber security to [meeting] compliance only.”
The study of the biggest global financial institutions as rated by Standard and Poor — including five Canadian banks — was released Wednesday by Geneva-based ImmuniWeb, which sells asset inventory, application monitoring and penetration tools.
The non-invasive tests were done using free version of the company’s suite of tools. Examined and scored were institutions’ main websites, over 2,300 of their sub-domains, 102 e-banking web applications, 55 mobile banking apps and 298 back end APIs of the mobile banking applications.
The tests scored these assets for SSL security, website security, mobile app security and phishing. A server starts with a score of 100, and then points were deducted for problems — for example, for not complying with PCI, HIPAA or NIST guidelines.
Other experts and vendors might have scored or measured sites and applications differently, resulting in different rankings.
In the ImmuniWeb rankings only four of the 100 bank websites had a score of A+ (no single issue or misconfiguration found). Forty had “minuscule” issues; and another 20 had several minor issues. However 31 had security vulnerabilities or several serious misconfigurations, and five had exploitable and publicly-known security vulnerabilities.
Security of sub-domains was worse: Of the 2,366 sub-domains studied, over half (1,408) had security vulnerabilities or several serious misconfigurations.
Of the 102 e-banking websites, 40 had security vulnerabilities or several serious misconfigurations.
The 55 mobile banking apps were tested for meeting the Open Web Application Security Project (OWASP) top 10 security and privacy issues. All had at least one low-risk security vulnerability, 92 per cent had at least one medium-risk security vulnerability and 20 per cent had at least one high-risk security vulnerability.
CISOs have to ensure there is visibility across all hardware and software assets, Kolochenko said, followed by continuous security monitoring.