Although banking and financial services continues to be the target of increasingly effective cyber-attacks, the main security strategy for most banks is based on a perimeter that ends at their internal network's firewall. While this approach might stave off some direct cyber attacks it can fail to protect a bank's customers or brand equity from cyber attackers leveraging web assets and mobile apps that are well outside the traditional security perimeter.
Cyber criminals have figured out there are plenty of ways to defraud your customers without having to pierce your well-defended firewall. Two recent examples are:
In 2014, the Dyre Wolf cyber attack used automated social engineering tactics to gain access to depositor accounts. A spear phishing email was used to deliver the malware,which altered the display of a bank's website, tricking customers into calling a fake customer service number and giving up their account credentials. Not only did this cyber attack not require any direct breach of the bank's perimeter, it completely side-stepped all the two-factor authentication methods being added to secure customer sessions.
In 2015, the Dridex banking Trojan used macro-infested XML files within Excel that were attached to phishing emails posing as remittance or payment notifications. When users opened the attachments it mimicked banking websites, capturing user credentials that were later used for theft of funds.
While these specific cyber attacks leveraged consumer trust in banking websites and support lines, this problem also affects mobile devices. An earlier survey by RiskIQ determined that out of 350,000 banking-related Android apps, over 40,000, or 11%, were confirmed to contain malware or flagged as containing suspicious binaries from a consortium of 70+ AV vendors, with roughly 50% of those having signatures consistent with mobile-based Trojan malware.
To provide a quantitative assessment of these cyber threats, RiskIQ performed a security survey of the web assets and mobile apps associated with each of the top 35 banks and financial service firms.
The survey scanned over 260,000 web assets and uncovered numerous unsecured assets, exploitable components, and misconfigured websites:
- 100% had web assets hosted outside of internal networks managed by their IT group
- 61% of the web assets were actually outside the firewall
- 80% relied on one or more external web servers outside the firewall
- All but 2 had one or more embedded analytics or tracking services
- 97% had a minimum of 13 broken SSL certificates, averaging 431 per bank
On mobile platforms, over 1,777 bank-related apps were scanned with similar results:
- There were an average of 51 apps per bank, even though most had only one or two official apps
- 94% were outside official app stores, making updates and patches problematic.
- 80% required 10 or more permissions, opening numerous security holes for users.
The truth is with banking transactions now spreading out via websites and mobile apps, defense should not end at your firewall--instead you must consider every web asset, social media site or mobile app under your brand to be at risk of breaching customer trust. What you must add to your defense posture is you customers and brand; not just your depositor funds and employees.
If you would like to rate your bank, please contact us at firstname.lastname@example.org. For more detail on the survey results and the potential security risks they uncovered, refer to: https://www.riskiq.com/resources/whitepapers.