97% of global banks are susceptible to web and mobile attacks

A whopping 97 out of 100 banks worldwide are vulnerable to mobile and web attacks, leaving them open to infiltration from hackers, a study has found.

The study, carried out by the security and automation testing website, ImmuniWeb, found that of 100 of the world’s largest banks (according to S&P global list for 2019), 97 of them are not cyber-secure.

In the results, it was found that based on their e-banking web-applications, not only did 85 of the banks fail their GDPR compliance test, but almost 50% of the banks were also unsuccessful in their PCI DSS (Payment Card Industry Data Security Standard) compliance test.

Furthermore, 25% of the banks were not protected by a web application firewall.

Mobile security

When tested for security vulnerabilities, seven of the companies’ e-banking web applications contained known and exploitable vulnerabilities. Whilst 92% of the mobile banking apps had at least one medium-risk security vulnerability.

Worryingly, every single one of the organisations had issues or security vulnerabilities relating to forgotten subdomains.

Ilia Kolochenko, CEO and founder of ImmuniWeb, said: “Given the non-intrusive nature of the research and formidable resources available to the top banks studied in the research, the findings urge financial institutions to revise their existing approaches to application security.”

Burden for customers

The CEO also spoke of the drain that is passed on to customers when banks do not protect data sufficiently. He continued: “Most of the data breaches involve or start with insecure web and mobile apps. Unfortunately, most cybersecurity teams today carry a burdensome duty to meet compliance and regulatory requirements as the first priority, and simply lack available resources to tackle other essential tasks. Eventually, they become low hanging fruits for cybercriminals.”

The study was taken from banks across 22 countries in Europe, Asia, the Americas and Australia.

Only three websites (based in Switzerland, Denmark and Sweden) had an ‘A+’ grade for SSL encryption and website security.

Related Posts