Today, Positive Technologies published its research findings from an e-banking study it conducted between 2011 and 2012. The research focused on investigating a variety of security vulnerabilities within widely used retail (consumer) banking applications and systems. As part of the analysis, we executed security assessments for several of the largest banks in Russia; with more than 70% of these systems used for retail internet transactions.
According to the report, it is possible to access the key OS and DBMS (database management systems) components of one out of every three systems analyzed. In a number of instances, acting as an intruder, we were able to take control of the system — allowing us to execute unauthorized online transactions, trigger denial of service and even withdraw monies from accounts that are not setup for e-banking. In fact, we successfully executed unauthorized transactions on 37% of e-banking systems, in the study.
Further testing revealed that high-risk vulnerabilities were present in one out of every two systems. However, this does not automatically mean that the other 50% of systems can adequately protect your assets. A few medium-risk vulnerabilities is all that an intruder might need to execute fraudulent transactions; which we found to be present in all the systems under examination.
A historically common problem with internet banking applications are weak user authentication methods, including poor password policies and lack of protection against brute-force attacks. An overwhelming 82% of systems tested exhibited such problems and some 60% of these were found to have at least one flaw in identifying user IDs — a predictable ID format or accessibility to ID information from the system. Moreover, 80% of the systems exhibited at least one problem with authenticating users, with some lacking multi-factor authentication when completing a transaction. And while not requiring another factor itself does not threaten the system, an intruder can use a combination of weaknesses to gain unauthorized access to accounts.
Through this investigation, our experts uncovered that more vulnerabilities and exposures exist in popular, off-the-shelf commercial applications than in those that were developed by the bank, in-house. In fact, we found that the commercial applications contain up to four times as many weaknesses than that of their home-grown counterparts.
Moreover, only the commercial applications contained critical vulnerabilities in their code. Such applications are usually cross-platform, employ a complex architecture and have many functions; making them difficult to be written securely.
Our skilled technicians at Positive Research would like to stress that simply doing a security audit on e-banking systems, when deployed, is not enough. In order to assure security, regular, ongoing system checks should be performed. Consider this: operational systems experienced almost one and a half times as many vulnerabilities as similar systems that were just being put into production. These new vulnerabilities arise over time from incorrect configurations, inadequate authentication methods and errors within the application source code.
