Big Banks Vulnerable to Web, Mobile Attacks

[Mohammad.Poorya]

Nearly all of the largest 100 banks are vulnerable to web and mobile attacks, which give hackers access to sensitive data, according to ImmuniWeb.

“We leveraged an enhanced methodology from our previous research that covered web and mobile application security of the world largest companies from the FT 500 list,” the report said. “For the purpose of this research, we carefully studied external web applications, APIs and mobile apps of the S&P Global list that contains the world's largest financial organizations from 22 countries.”

According to the findings, 85 e-banking web applications failed a GDPR compliance test and 49 failed a PCI DSS test. “Only three main websites (Credit Suisse, Danske Bank and Handelsbanken) out of 100 had the highest grades 'A+' both for SSL encryption and website security,” the report said.

“Given the non-intrusive nature of the research and formidable resources available to the top banks studied in the research, the findings urge financial institutions to revise their existing approaches to application security,” said Ilia Kolochenko, CEO and founder of ImmuniWeb.

“Most of the data breaches involve or start with insecure web and mobile apps that are too frequently under prioritized by future victims. Unfortunately, most cybersecurity teams today carry a burdensome duty to meet compliance and regulatory requirements as the first priority and simply lack available resources to tackle other essential tasks. Eventually, they become low-hanging fruits for cybercriminals.”

Researchers detected 29 active phishing campaigns targeting customers of the financial institutions. “Phishing websites either spread banking malware aimed to steal e-banking credentials or provide fraudulent login forms aimed to steal victim’s credentials. Most of the malicious websites were hosted in the US,” the report said.