Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

// // //
7/10/2019
07:50 AM
Larry Loeb
Larry Loeb
Larry Loeb

Research Shows Top Banks Failing in Security, Privacy & Compliance

Apart from that, it's all going swimmingly.

ImmuniWeb, a player in the European penetration testing market, has conducted some research on the world's 100 top banksas listed by S&P Global. That list contains financial organizations from 22 countries. The research looked at application security, privacy and compliance at these financial institutions.

As far as compliance goes, the research found that:

  • 85 e-banking web applications failed the GDPR compliance test.
  • 49 e-banking web applications failed the PCI DSS compliance test/
  • 25 e-banking web applications are not protected by a Web Application Firewall.

PCI DSS compliance testing covered Requirements 2.3, 4.1, 6.2, 6.5 and 6.6 of the most recent version (v.3.2.1) of the standard.

GDPR compliance testing covered Article 5 Section 1, Article 5 Section 2, Article 6 Section 1, Article 6 Section 4(e), Article 7, Article 25 Section 1, Article 32 Section 1(a)(b)(d) and Article 35 Section 7(f) of the enacted regulation.

Non-intrusive Software Composition Analysis (SCA) of Open Source Software (OSS) verified fingerprinted software versions for publicly disclosed vulnerabilities from OWASP Top 10 list.

Only three main websites out of the 100 had the highest grades "A+" both for SSL encryption and website security. Those sites were www.credit-suisse.com (Switzerland), www.danskebank.com (Denmark) and www.handelsbanken.se (Sweden).

As far as the main (www.) websites were concerned, each website contains on average two different web software components, JS libraries, frameworks or other third-party code.

As many as 29 websites contain at least one publicly disclosed and unpatched security vulnerability of a medium or high risk. The oldest unpatched vulnerability detected during the research is CVE-2011-4969 impacting jQuery 1.6.1 and known since 2011.

The most popular website vulnerabilities were XSS (Cross Site Scripting, OWASP A7), Sensitive Data Exposure (OWASP A3) and Security Misconfiguration (OWASP A6).

As far as subdomains go, 81% of the subdomains that contain fingerprintable external software have outdated components. Also, 2% contained publicly disclosed and exploitable vulnerability of medium or high risk.

As few as eight banks seem not to use an external Web Application Firewall or use a WAF in a permissive monitoring-only mode, thus not blocking any web attacks in real time.

They looked at five mobile banking applications allowing access to sensitive banking data. In total, these mobile apps communicated with 298 backend APIs to send or receive data from the bank.

The results showed that 100% of mobile banking applications contained at least one low-risk security vulnerability, 92% of mobile banking applications contained at least one medium-risk security vulnerability, and 20% of mobile banking applications contain at least one high-risk security vulnerability.

Ilia Kolochenko, CEO and founder of ImmuniWeb, says: "Given the non-intrusive methodology of our research, as well as important financial resources available to the banks, the findings urge financial institutions to rapidly revise and enhance their existing approaches to application security. Nowadays, most of the data breaches involve insecure web or mobile apps, importance of which is frequently underestimated by the future victims."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37770
PUBLISHED: 2022-06-30
Nucleus CMS v3.71 is affected by a file upload vulnerability. In this vulnerability, we can use upload to change the upload path to the path without the Htaccess file. Upload an Htaccess file and write it to AddType application / x-httpd-php.jpg. In this way, an attacker can upload a picture with sh...
CVE-2021-37778
PUBLISHED: 2022-06-30
There is a buffer overflow in gps-sdr-sim v1.0 when parsing long command line parameters, which can lead to DoS or code execution.
CVE-2013-4146
PUBLISHED: 2022-06-30
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-3414. Reason: This candidate is a duplicate of CVE-2012-3414. Notes: All CVE users should reference CVE-2012-3414 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental u...
CVE-2013-4170
PUBLISHED: 2022-06-30
In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the `tagName` property of an `Ember.View` was inserted into such a string without being sanitized. This means that if an application assigns a view's `tagName` to ...
CVE-2021-41506
PUBLISHED: 2022-06-30
Xiaongmai AHB7008T-MH-V2, AHB7804R-ELS, AHB7804R-MH-V2, AHB7808R-MS-V2, AHB7808R-MS, AHB7808T-MS-V2, AHB7804R-LMS, HI3518_50H10L_S39 V4.02.R11.7601.Nat.Onvif.20170420, V4.02.R11.Nat.Onvif.20160422, V4.02.R11.7601.Nat.Onvif.20170424, V4.02.R11.Nat.Onvif.20170327, V4.02.R11.Nat.Onvif.20161205, V4.02.R...