Positive Technologies: attackers can access personal data and other sensitive information in every online bank

In its recent report ‘Vulnerabilities in online banking applications’, Positive Technologies experts assessed the security levels of online banks in 2018, and found that 54 percent allowed attackers to steal money. In addition to this, all online banks carry the risk of unauthorized access to personal data and other sensitive information.

The analysis by Positive Technologies experts shows that most online banks contain critical vulnerabilities. A security assessment of online banks revealed that every reviewed system contained vulnerabilities that could have major consequences if exploited. For instance, fraudulent transactions and theft of funds were possible in 54 percent of applications.

Threat of unauthorized access to client information and company sensitive information, such as account statements or the payment orders of other users, was present in every studied online bank, and in some cases vulnerabilities allowed hackers to attack the bank's corporate network. According to Positive Technologies experts, the average cost of the data of an online banking user on the darkweb is $22.

Additionally, analysis showed that 77 percent of online banks had security flaws in their two-factor authentication mechanisms.

According to Positive Technologies cybersecurity resilience lead Leigh-Anne Galloway, some online banks do not use one-time passwords for critical operations (such as authentication), or allow old passwords, which are more likely to be compromised. Experts believe this is because banks want to strike the right balance between security and comfort of use.

"Foregoing security measures in favor of customer convenience increases the risk of fraud. If there's no need to confirm a transaction with a one-time password, the attacker no longer requires access to the victim's smartphone, and an old password increases the chances of it being brute forced. With no limit applied to it, a one-time password of four symbols can be cracked within two minutes," Galloway said.

The Vulnerabilities in Online Banks

As well as issues of authentication, comparative analysis showed that ready-made solutions developed by vendors had three times fewer vulnerabilities than those developed in-house.

The number of vulnerabilities in the test and production systems, on the other hand, is equal. Statistics shows that in 2018 both types of systems in most cases contained at least one critical vulnerability. Experts think that after developers have tested a security system once, they tend to postpone further analysis after changes are made to the code, causing vulnerabilities to "accumulate". This means that before long, the number of flaws is the same as that found during initial testing.

The main positive trend in the security of online financial applications in 2018 was the reduction of high-risk vulnerabilities in the total number of all flaws identified. According to Positive Technologies specialists, the percentage of critical vulnerabilities dropped by more than half compared to the previous year - from 32 percent in 2017, to 15 percent in 2018. However, the overall security level of online banks remains low.