Are the world’s top 100 banks secure from cyber criminals and hackers? Based on the recent ImmuniWeb’s State of Application Security at World’s 100 Largest Banks, the answer is No. It claims that “97 out of 100 largest banks are vulnerable to web and mobile attacks enabling hackers to steal sensitive data.”
According to Ilia Kolochenko, CEO and Founder of ImmuniWeb: “Given the non-intrusive nature of the research and formidable resources available to the top banks studied in the research, the findings urge financial institutions to revise their existing approaches to application security.
“Most of the data breaches involve or start with insecure web and mobile apps that too frequently underprioritized by the future victims. Unfortunately, most cybersecurity teams today carry a burdensome duty to meet compliance and regulatory requirements as the first priority and simply lack available resources to tackle other essential tasks. Eventually, they become low hanging fruits for cybercriminals.”
Key findings from the research
The key findings from the research are disturbing. They paint a picture of an industry that still fails to understand how to secure software. They also show that banks are still failing when it comes to regulation, compliance and industry standards. This also turns the spotlight back on to regulators who should consider their role in security audits and testing of banking IT systems.
Two of the main areas are:
Compliance
The tests looked at both how well the banks met PCS DSS and GDPR compliance. The results were a simple pass/fail.
PCI DSS | GDPR | |||
Pass | Fail | Pass | Fail | |
Main Website | 62 | 38 | 39 | 61 |
Subdomains | 887 | 1479 | 285 | 2081 |
E-Banking websites | 53 | 49 | 17 | 85 |
As the table below shows, the failures are significant. The vast majority of these banks fail to meet the requirements of GDPR. With ICO’s across Europe now warming to an era of high fines, albeit small by comparison to other recent fines for the sector, banks need to get their act together. They are continually trying to position themselves as “trusted” organisations. It is clear from this research that this is something that cannot be taken for granted.
Yesterday, Enterprise Times emailed Jeremy King, the International Director – Europe at the PCI Security Standards Council. We wanted to know how so many banking organisations could fail to meet the PCI DSS standards and what actions the Council could take as a result of this report. So far, we have had nothing back. We will update this story if and when he does respond.
Irrespective of King’s response, there are major issues here for the banks. PCI DSS is the key compliance measure for handling payment cards. There are already issues with how card providers are failing to help SMEs meet its requirements. However, to have major banks failing is a more serious concern.
Website security
Only 3 main banking websites gained an A+ for SSL encryption and banking security. The remainder had some degree of issue or vulnerability detected. Worryingly, 5 had exploitable and publicly known vulnerabilities (F) while 31 had a mix of vulnerabilities and serious misconfigurations (C) . The remainder need to review their security hardening and deal with minor issues.
The testing was not just about main website. ImmuniWeb identified 2,366 subdomains belonging to the banks. While 2% got an A+, 70% received either an C (59.5%) or an F (10.9%). In some cases, the subdomains appear to have been completely forgotten about. While this will be seen by some as just an asset management issue, it is far more than that. These sites could become lucrative targets for cyber criminals and use to steal banking details or distribute malware.
Website security for E-Banking were just as poorly secured. Only 15% got an A+ while 40% got a C and 7% got an F.
Enterprise Times: What does this mean
The tests show a remarkable lack of competent security from an industry that is one of the most targeted by cyber gangs and hackers. There is no excuse for poor asset management, known vulnerabilities and serious misconfigurations. It shows that internal security audits and testing needs a root and branch review at many financial institutions. Importantly, it shows that regulators need to do much more to ensure that banks meet their obligations.
This week we have seen the UK ICO hand out very large fines to British Airways and Marriott International for data breaches. If banks think that they are immune from such action, they should think again. This is the sort of historic data and testing that regulators are likely to look for when dealing with any data breach. Those banks with poor security need to invest heavily in fixing their problems and do so quickly.
As an example of how poor security is, the oldest unpatched vulnerability found is one that was publicly disclosed in 2011. Having a proper patching process is not an option and if ImmuniWeb can find these vulnerabilities so can cyber gangs.
We have pulled out just a few things from the report. The report is now live on the ImmuniWeb website.