Gone are the days when people frequented their banks to get their errands done. With more and more banking activities being performed online via web and mobile applications, the security risks are rising exponentially. But are banks and financial institutions doing enough to safeguard our privacy and financial assets? What are the risks and what role do application developers play in providing online banking security? Let’s take a closer look.
This article will be based on the POC provided by ethical hacker and security expert Sijmen Ruwhof. Specializing in online banking security, Ruwhof a consultant for multiple banks in The Netherlands and other EU nations. His work over the years has put the spotlight on leading banking organizations by exposing their questionable security standards and poor application code integrity.
Hacking Opportunities on the Rise
Kaspersky Labs recently published a comprehensive report showing the grim state of online banking security around the world. The leading cyber security solution provider collected the cybercrime related statistics from its database during the year-long period of 2015 and filtered out all banking sector information to compile this security document. The numbers shown in the report say it all.
- 1,966,324 registered notifications of malware raids on online bank accounts.
- 798,113,087 cyberattacks launched from online resources worldwide.
- 2% user-end computers were compromised atleast once during the year.
- Around 24% of the cyberattacks originated from US territory.
- 121,262,075 malicious objects (scripts, exploits, etc) were detected.
While social engineering is still very much in use today, more and more users today are exploiting vulnerable applications actively with tailor-made attacks. These risks involve not only web applications via browsers (62%), but also mobile ones due to the rising trend of “banking on-the-go”. Around 14% of all cyberattacks on banking targets were executed on the Android mobile platform, a worrying trend.
How to hack a bank online? Source: Jason Security
The Root of All Vulnerabilities: Low Code Integrity
Ethical hacker and security expert Sijmen Ruwhof recently exposed the root of the problem in modern banking applications on his blog. He heard about the low security standards of Danish banks and decided to test the robustness of the website of Danske Bank, one of the biggest banks in Denmark. The results of his random investigation are not encouraging.
Upon inspecting other variables, very poor online banking security standards were exposed.
- Via the exposed HTTP_CLIENTIP variable, Ruwhof could see customers’ IP addresses. For example, 220.127.116.117 translated to the corresponding fully qualified domain name led to 80-166-145-257-static.dk.customer.tdc.net. This was a customer’s IP address from Denmark. Refreshing the login page gave Ruwhof access to more IP addresses of customers.
- Even the HTTP_COOKIE variable was fully exposed. With little work, hackers could easily hijack any customer’s credentials (data theft) and launch an exploit.
- Another accessible variable was HTTP_USER_AGENT. This gave a clear picture of what OS the potential victim was using, along with other web browser information.
- The bank also didn’t implement secure HTTPS connection for its internal network (HTTPS variable was OFF and SERVER_PORT showed the value 80).
- The bank also didn’t use HTTP Basic Authentication. Ruwhof reached this conclusion after seeing that the AUTH_USER and AUTH_PASSWORD variables were empty.
After some initial hiccups in the communication with the bank, Ruwhof’s findings were acknowledged and the technical staff fixed the data leakage and technical glitches.
Taking the hacking statistics presented earlier in the article, it’s safe to assume that similar findings exist in in many other banking and financial applications, web and mobile. With the ever-growing online usage of such applications, it’s quite clear that the foundation has to be strengthened for improved online banking security. This foundation is the application code, which has to be of high integrity.
Secure Development for Improve Online Banking Security
Traditional security tools, namely Web Application Firewalls (WAFs) and anti-malware software, are simply not getting the job done today. Hackers are exploiting the dynamic nature of the modern applications to gain access to sensitive information. Attack vectors have multiplied, making it paramount to bolster the application code integrity. Online banking security hinges on this crucial factor.
Application security has developed and evolved over the years. Penetration (Pen) Testing is arguably the oldest methodology still being used, but its inherited deficiencies make it a secondary solution at best. This is mainly because it enters the picture only when the application is up and running, in addition to the numerous cycles required for achieving wide coverage. It also requires a lot of resources/personnel.
An effective way of producing secure applications is to integrate the security into the development process. Automating the process with Static Application Security Testing (SAST) solutions, namely Static Code Analysis (SCA), is gaining steam. Here the solution is planted directly into the developer’s environment and application layer vulnerabilities are detected early.
Other benefits of automating security for enhanced online banking security include:
1 – Creation of a secure Software Development Life Cycle (sSDLC) – The automation of the process helps create a safe protocol where security findings are treated just as QA bugs.
2 – Developers are fully involved in the security efforts – With the solution built into their native development environments, developers eventually become security champions.
3 – Great for Agile, DevOps and CICD scenarios – More and more organizations are gravitating towards these setups, making SCA an ideal solution for close to real-time results.
4 – Better ROI – The early detection and remediation of vulnerabilities means safer applications that are tough to exploit and post-release maintenance costs are lowered significantly.
5 – Wide platform and language coverage – Today’s leading SCA solutions offer wide coverage to support complex development environments with multiple frameworks/scripting languages.
“Static code analyzers are the easiest to implement, as you can scan a large code repository containing multiple projects very easy,” Ruwhof explains. “While manual reviewing by a security expert is still necessary, properly integrated security scan tools that automatically analyze software are an excellent way to improve application security.”
Online Banking Security Has To Be Taken Seriously
Online banking security has to be prioritized to ensure the safety of users and safeguard financial transactions. The traditional measures such as WAFs and fraud detection software are good to have, but they don’t really provide adequate application layer security that is desperately needed to keep the hackers away. There’s no way around secure application coding for good online banking security.
While the benefits of automated security with Static Code Analysis (SCA) are many, no application can be entirely immune to hacking/cybercrime. That’s why more and more AppSec experts are recommending the use of two or more security methodologies in tandem. One such combo involves SCA during development, with a few cycles of Pen Testing and/or Manual Testing prior to release.
Rouwof echos the same opinion: “A combination of AppSec tools should be built into the SDLC and implemented in such a way that software may not go to production stage if high or critical security risks are found by the tools. These tools should run every day in an automated way. To set expectations right, tools don’t find all vulnerabilities and thus manual review by a security expert is still necessary.”
To learn more about how to choose a SAST/SCA tool – Click Here