ImmuniWeb, a player in the European penetration testing market, has conducted some research on the world's 100 top banksas listed by S&P Global. That list contains financial organizations from 22 countries. The research looked at application security, privacy and compliance at these financial institutions.
As far as compliance goes, the research found that:
- 85 e-banking web applications failed the GDPR compliance test.
- 49 e-banking web applications failed the PCI DSS compliance test/
- 25 e-banking web applications are not protected by a Web Application Firewall.
PCI DSS compliance testing covered Requirements 2.3, 4.1, 6.2, 6.5 and 6.6 of the most recent version (v.3.2.1) of the standard.
GDPR compliance testing covered Article 5 Section 1, Article 5 Section 2, Article 6 Section 1, Article 6 Section 4(e), Article 7, Article 25 Section 1, Article 32 Section 1(a)(b)(d) and Article 35 Section 7(f) of the enacted regulation.
Non-intrusive Software Composition Analysis (SCA) of Open Source Software (OSS) verified fingerprinted software versions for publicly disclosed vulnerabilities from OWASP Top 10 list.
Only three main websites out of the 100 had the highest grades "A+" both for SSL encryption and website security. Those sites were www.credit-suisse.com (Switzerland), www.danskebank.com (Denmark) and www.handelsbanken.se (Sweden).
As far as the main (www.) websites were concerned, each website contains on average two different web software components, JS libraries, frameworks or other third-party code.
As many as 29 websites contain at least one publicly disclosed and unpatched security vulnerability of a medium or high risk. The oldest unpatched vulnerability detected during the research is CVE-2011-4969 impacting jQuery 1.6.1 and known since 2011.
The most popular website vulnerabilities were XSS (Cross Site Scripting, OWASP A7), Sensitive Data Exposure (OWASP A3) and Security Misconfiguration (OWASP A6).
As far as subdomains go, 81% of the subdomains that contain fingerprintable external software have outdated components. Also, 2% contained publicly disclosed and exploitable vulnerability of medium or high risk.
As few as eight banks seem not to use an external Web Application Firewall or use a WAF in a permissive monitoring-only mode, thus not blocking any web attacks in real time.
They looked at five mobile banking applications allowing access to sensitive banking data. In total, these mobile apps communicated with 298 backend APIs to send or receive data from the bank.
The results showed that 100% of mobile banking applications contained at least one low-risk security vulnerability, 92% of mobile banking applications contained at least one medium-risk security vulnerability, and 20% of mobile banking applications contain at least one high-risk security vulnerability.
Ilia Kolochenko, CEO and founder of ImmuniWeb, says: "Given the non-intrusive methodology of our research, as well as important financial resources available to the banks, the findings urge financial institutions to rapidly revise and enhance their existing approaches to application security. Nowadays, most of the data breaches involve insecure web or mobile apps, importance of which is frequently underestimated by the future victims."
— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.