Nearly all of the largest 100 banks are vulnerable to web and mobile attacks, which give hackers access to sensitive data, according to ImmuniWeb.
“We leveraged an enhanced methodology from our previous research that covered web and mobile application security of the world largest companies from the FT 500 list,” the report said. “For the purpose of this research, we carefully studied external web applications, APIs and mobile apps of the S&P Global list that contains the world's largest financial organizations from 22 countries.”
According to the findings, 85 e-banking web applications failed a GDPR compliance test and 49 failed a PCI DSS test. “Only three main websites (Credit Suisse, Danske Bank and Handelsbanken) out of 100 had the highest grades 'A+' both for SSL encryption and website security,” the report said.
“Given the non-intrusive nature of the research and formidable resources available to the top banks studied in the research, the findings urge financial institutions to revise their existing approaches to application security,” said Ilia Kolochenko, CEO and founder of ImmuniWeb.
“Most of the data breaches involve or start with insecure web and mobile apps that are too frequently under prioritized by future victims. Unfortunately, most cybersecurity teams today carry a burdensome duty to meet compliance and regulatory requirements as the first priority and simply lack available resources to tackle other essential tasks. Eventually, they become low-hanging fruits for cybercriminals.”
Researchers detected 29 active phishing campaigns targeting customers of the financial institutions. “Phishing websites either spread banking malware aimed to steal e-banking credentials or provide fraudulent login forms aimed to steal victim’s credentials. Most of the malicious websites were hosted in the US,” the report said.
In related news, an audit of employees’ security awareness across 16 industries, conducted by Proofpoint, found that one in every four questions regarding phishing was answered incorrectly. However, finance was the best performing industry, with end users answering 80 percent of all questions correctly, according to the 2019 Beyond the Phish report.
“Cybercriminals are experts at gathering personal information to launch highly targeted and convincing attacks against individuals,” said Amy Baker, vice president of security awareness training strategy and development for Proofpoint in a press release.
“Implementing ongoing and effective security awareness training is a necessary foundational pillar when building a strong culture of security. Educating employees about cybersecurity best practices is the best way to empower users to understand how to protect theirs and their employer’s data, making end users a strong last line of defense against cyber attackers.”