Various non-intrusive security, privacy and compliance tests have been conducted by the ImmuniWeb Community: SSL security test, website security test, mobile application security test, PCI DSS compliance test… Result: much progress remains to be made!
The study “ State of Application Security at S&P Global World’s 100 Largest Banks ” that ImmuniWeb has just published shows how much there is a gap between advertisements and reality
While Gartner claims that the banking sector is at the top of global cybersecurity spending, this study provides edifying results:
- 7% e-banking web applications contain known and exploitable vulnerabilities. The oldest known and publicly released uncorrected vulnerability dates from 2011 (CVE-2011-4969 impacting jQuery 1.6.1)
- 92% of mobile banking applications contain at least one high-risk security vulnerability moyen ;
- 100% of banks have security vulnerabilities or problems related to forgotten sub-domains.
As for compliance, it’s no better:
- 85% of e-banking applications failed the RGPD compliance test;
- Half (49%) e-banking web applications failed the PCI DSS compliance test.
Only three of the top 100 sites scored the highest “A+” for both SSL encryption and website security: www.credit-suisse.com (Switzerland), www.danskebank.com (Denmark) and www.handelsbanken.se (Sweden).
ImmuniWeb also tested 55 banking applications based on the Top 10 security and privacy issues of Mobile OWASP. Again, this leaves something to be desired:
- 100% of applications contain at least one low security vulnerability at risque ;
- 92% of applications contain at least one high-risk security vulnerability moyen ;
- Worse, 20% of applications contain at least one high-risk security vulnerability.
It is questionable whether banks really take IT security seriously. In 2015, at Black Hat Asia, a French expert demonstrated the flaws in banking applications! Vulnerabilities that had also been presented a year earlier at the Chaos Computer Conference…