CCR Magazine

CCRi banner ad
You are here  :Home arrow News arrow Bank Heists Possible Due to Flawed Code
Contact Us Newsletter Signup RSS Feeds

Latest News Headlines

Headlines

 
Commercial Credit News

Headlines

 
Bank Heists Possible Due to Flawed Code PDF Print E-mail
Wednesday, 26 July 2017
The total number of critical vulnerabilities in financial applications fell in 2016, however the overall severity level of the identified vulnerabilities grew significantly. The most common vulnerabilities relate to flaws in mechanisms for identification, authentication, and authorization of users with two in three remote banking applications vulnerable to brute force attacks. These are the findings detailed in a report, published today by Positive Technologies, of its financial application security assessments performed throughout 2016.  

In 2016, online banking services grew in popularity thanks to contactless payment systems: PayPass and payWave were joined by NFC-based Apple Pay and Google Wallet on smartphones. However, the security of web and mobile banking has not kept up. These banking methods harbor the vulnerabilities and threats typically encountered in application development. The difference is that, in the case of banking applications, these vulnerabilities have serious consequences—theft, unauthorized access to client data and sensitive bank information, and significant reputational losses.

The assessment of banking applications in 2016 demonstrated that the share of critical vulnerabilities grew by 8%, and medium-severity vulnerabilities by 18%. Production systems had an average of twice as many vulnerabilities as those still in development. Applications developed by third party vendors had on average twice as many vulnerabilities as applications developed in-house.

Most online banking applications (71%) contained flaws in their implementation of two-factor authentication. 33% of online banking applications had vulnerabilities that made it possible to steal money, and in 27% of applications, an attacker could access sensitive client information. Mobile banking applications also have issues with an attacker able to intercept or brute force user credentials to one in three apps. Banking apps on iOS remain more secure than their Android equivalents. The real problems in protection lurk on the server side: Positive Technologies’ researchers found dangerous server-side vulnerabilities in every application tested.

This years’ report also includes statistics of security within automated banking systems, usually thought to be beyond the reach of external attackers. Two thirds of the vulnerabilities found within automated banking systems were critical, some even allowing administrative server access. With this level of access, an attacker could conduct fraudulent transactions yet remain unnoticed. The possibilities for such fraudulent transactions are practically limitless: attackers could create new accounts, change their balance, or create counterfeit payment transfers to other institutions.

"In our analysis of 2016 incidents, we note that targeted attacks against banks often used these possibilities. Most vulnerabilities can be avoided before the first line of code is ever written—proper architecture and careful formulation of technical requirements should account for the subtleties of implementation of authentication and authorization mechanisms. Vulnerabilities in source code can be avoided at the development stage. Secure Software Development Lifecycle (SSDLC) practices and careful testing of protection mechanisms ensure a more robust and secure code base. Experience has proven that the most effective method to detect web application vulnerabilities is auditing source code, among other things, with the help of automated analysis," summarizes Evgeny Gnedin, Head of Security Analytics at Positive Technologies.
 
CCRI
3 October - Guoman Tower Hotel, Central London 

CCRInteractive, in association with Marston Holdings , is the largest and leading one-day conference from the publishers of CCRMagazine – a truly national and international event for the credit industry.

This landmark event allows delegates to: Learn best practice of how to increase profitable sales in today’s economy. Understand the key compliance issues and how they will impact upon you. Discuss the legislative and regulatory framework and how it will effect you. Consider the potential effects of Brexit on your business. Discover the latest innovations in the market to improve your collections. Motivate your staff to achieve ever improved results.

To book to attend in 2017, contact Stephen Kiely  or Alison Lucas. To find out more about being part of this landmark event, please contact Gary Lucas
CCRI 

 Forums International Ltd

Forums International Ltd

 Attendance at your first meeting is free of charge, and please quote reference 'CCR2016' to receive the special 10% discount off of your first annual subscription.

Find out more here.

latest issue

CCR Cover

The latest edition of CCR Magazine, the leading editorial publication in the UK credit industry, is out.

Read the latest issue online

The Credit Excellence Awards

Awards 

Tuesday 3 October - Guoman Tower Hotel, Central London


Do not miss your chance to meet and network with the Winners and Finalists at the Credit Excellence Awards, in association with Hoist Finance.


To book your place to attend, please contact Alison Lucas.


subscriptions

CCR is the premier magazine for consumer and credit professionals. It provides an independent voice to the industry, breaking major news stories and running in-depth features.

As a magazine, it works with and campaigns on behalf of the credit industry to promote its importance as a centre of potential profit and business development to the wider business world.

Subscribe to CCR Magazine

CCR World Magazine


 

Providing information and analysis for thousands of senior credit professionals worldwide, every quarter.

Find out more

GTS Media Ltd
81 Cambridge Road
Southend-on-Sea
Essex
SS1 1EP

Registered in England No: 05483197