Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

7/10/2019
07:50 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Research Shows Top Banks Failing in Security, Privacy & Compliance

Apart from that, it's all going swimmingly.

ImmuniWeb, a player in the European penetration testing market, has conducted some research on the world's 100 top banksas listed by S&P Global. That list contains financial organizations from 22 countries. The research looked at application security, privacy and compliance at these financial institutions.

As far as compliance goes, the research found that:

  • 85 e-banking web applications failed the GDPR compliance test.
  • 49 e-banking web applications failed the PCI DSS compliance test/
  • 25 e-banking web applications are not protected by a Web Application Firewall.

PCI DSS compliance testing covered Requirements 2.3, 4.1, 6.2, 6.5 and 6.6 of the most recent version (v.3.2.1) of the standard.

GDPR compliance testing covered Article 5 Section 1, Article 5 Section 2, Article 6 Section 1, Article 6 Section 4(e), Article 7, Article 25 Section 1, Article 32 Section 1(a)(b)(d) and Article 35 Section 7(f) of the enacted regulation.

Non-intrusive Software Composition Analysis (SCA) of Open Source Software (OSS) verified fingerprinted software versions for publicly disclosed vulnerabilities from OWASP Top 10 list.

Only three main websites out of the 100 had the highest grades "A+" both for SSL encryption and website security. Those sites were www.credit-suisse.com (Switzerland), www.danskebank.com (Denmark) and www.handelsbanken.se (Sweden).

As far as the main (www.) websites were concerned, each website contains on average two different web software components, JS libraries, frameworks or other third-party code.

As many as 29 websites contain at least one publicly disclosed and unpatched security vulnerability of a medium or high risk. The oldest unpatched vulnerability detected during the research is CVE-2011-4969 impacting jQuery 1.6.1 and known since 2011.

The most popular website vulnerabilities were XSS (Cross Site Scripting, OWASP A7), Sensitive Data Exposure (OWASP A3) and Security Misconfiguration (OWASP A6).

As far as subdomains go, 81% of the subdomains that contain fingerprintable external software have outdated components. Also, 2% contained publicly disclosed and exploitable vulnerability of medium or high risk.

As few as eight banks seem not to use an external Web Application Firewall or use a WAF in a permissive monitoring-only mode, thus not blocking any web attacks in real time.

They looked at five mobile banking applications allowing access to sensitive banking data. In total, these mobile apps communicated with 298 backend APIs to send or receive data from the bank.

The results showed that 100% of mobile banking applications contained at least one low-risk security vulnerability, 92% of mobile banking applications contained at least one medium-risk security vulnerability, and 20% of mobile banking applications contain at least one high-risk security vulnerability.

Ilia Kolochenko, CEO and founder of ImmuniWeb, says: "Given the non-intrusive methodology of our research, as well as important financial resources available to the banks, the findings urge financial institutions to rapidly revise and enhance their existing approaches to application security. Nowadays, most of the data breaches involve insecure web or mobile apps, importance of which is frequently underestimated by the future victims."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36239
PUBLISHED: 2021-07-29
Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before 8.13.8, from 8.14.0 before 8.17.0 and Jira Service Management Data Center from version 2.0.2 before 4.5.16, from version 4.6.0 before 4.13.8, and from version 4.14.0 before 4.17.0 e...
CVE-2021-37578
PUBLISHED: 2021-07-29
Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malic...
CVE-2021-23416
PUBLISHED: 2021-07-28
This affects all versions of package curly-bracket-parser. When used as a template library, it does not properly sanitize the user input.
CVE-2021-23417
PUBLISHED: 2021-07-28
All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.
CVE-2021-23415
PUBLISHED: 2021-07-28
This affects the package elFinder.AspNet before 1.1.1. The user-controlled file name is not properly sanitized before it is used to create a file system path.