EDITOR’S QUESTION
HOW CAN
COMPANIES DO
MORE TO PROTECT
CONSUMER DATA?
//////////////////////////////////////////////////////////////////////////////////////////////////////////
I
n its recent report about the vulnerabilities in online banking
applications, Positive Technologies experts assessed the
security levels of online banks in 2018 and discovered that
54% allowed attackers to steal money. In addition to this, all online
banks carry the risk of unauthorised access to personal data and
other sensitive information.
The analysis by Positive Technologies experts shows that most
online banks contain critical vulnerabilities. A security assessment
of online banks revealed that every reviewed system contained
vulnerabilities that could have major consequences if exploited. For
instance, fraudulent transactions and theft of funds were possible
in 54% of applications.
Threat of unauthorised access to client information and company
sensitive information such as account statements or the payment
orders of other users was present in every studied online bank and
in some cases, vulnerabilities allowed hackers to attack the bank’s
corporate network. According to Positive Technologies experts, the
average cost of the data of an online banking user on the dark web is
US$22.Additionally, analysis showed that 77% of online banks had
security flaws in their two-factor authentication mechanisms.
According to Positive Technologies’ cybersecurity resilience lead,
Leigh-Anne Galloway, some online banks do not use one-time
passwords for critical operations (such as authentication) or allow
old passwords which are more likely to be compromised. Experts
believe this is because banks want to strike the right balance between
security and comfort of use.
32
INTELLIGENTCIO
“Foregoing security measures in favour of customer convenience
increases the risk of fraud. If there’s no need to confirm a
transaction with a one-time password, the attacker no longer
requires access to the victim’s smartphone and an old password
increases the chances of it being brute forced. With no limit applied
to it, a one-time password of four symbols can be cracked within
two minutes,” Galloway commented.
The vulnerabilities in online banks
As well as issues of authentication, comparative analysis showed that
ready-made solutions developed by vendors had three times fewer
vulnerabilities than those developed in-house.
The number of vulnerabilities in the test and production systems on
the other hand, is equal. Statistics show that in 2018, both types of
systems in most cases contained at least one critical vulnerability.
Experts think that after developers have tested a security system
once, they tend to postpone further analysis after changes are made
to the code, causing vulnerabilities to ‘accumulate’.
This means that before long, the number of flaws is the same as
that found during initial testing. The main positive trend in the
security of online financial applications in 2018 was the reduction
of high-risk vulnerabilities in the total number of all flaws identified.
According to Positive Technologies specialists, the percentage of
critical vulnerabilities dropped by more than half compared to the
previous year – from 32% in 2017, to 15% in 2018. However, the
overall security level of online banks remains low.
www.intelligentcio.com