Cybersecurity: donkey cap for bankers!

Various non-intrusive security, privacy and compliance tests have been conducted by the ImmuniWeb Community: SSL security test, website security test, mobile application security test, PCI DSS compliance test… Result: much progress remains to be made!

The study “ State of Application Security at S&P Global World’s 100 Largest Banks ” that ImmuniWeb has just published shows how much there is a gap between advertisements and reality

While Gartner claims that the banking sector is at the top of global cybersecurity spending, this study provides edifying results:

  • 7% e-banking web applications contain known and exploitable vulnerabilities. The oldest known and publicly released uncorrected vulnerability dates from 2011 (CVE-2011-4969 impacting jQuery 1.6.1) 
  • 92% of mobile banking applications contain at least one high-risk security vulnerability moyen ;
  • 100% of banks have security vulnerabilities or problems related to forgotten sub-domains.

As for compliance, it’s no better:

  • 85% of e-banking applications failed the RGPD  compliance test;
  • Half (49%) e-banking web applications failed the PCI DSS compliance test.

Only three of the top 100 sites scored the highest “A+” for both SSL encryption and website security: (Switzerland), (Denmark) and (Sweden).

ImmuniWeb also tested 55 banking applications based on the Top 10 security and privacy issues of Mobile OWASP. Again, this leaves something to be desired:

  • 100% of applications contain at least one low security vulnerability at risque ;
  • 92% of applications contain at least one high-risk security vulnerability moyen ;
  • Worse, 20% of applications contain at least one high-risk security vulnerability.

It is questionable whether banks really take IT security seriously. In 2015, at Black Hat Asia, a French expert demonstrated the flaws in banking applications! Vulnerabilities that had also been presented a year earlier at the Chaos Computer Conference…