2/3 online banking systems to contain at least one critical vulnerability

However, the percentage of critical vulnerabilities is falling each year, according to the company’s press release. For example, high-risk vulnerabilities were found on 90% of systems in 2015; by 2016, this number dropped to 71%; and, in 2017 it dropped further to 56%. Despite this encouraging trend, security shortcomings remain a menace for banks and clients.

Each e-banking system analysed in 2017 contained, on average, seven vulnerabilities; this up from six in 2016. However, high- and medium-risk vulnerabilities made up a smaller portion, yet only a third of online banks were free of critical vulnerabilities in 2017, whereas in 2016 all financial web applications (except one) had at least one.

The situation with mobile banking apps is similar. Almost half (48%) of mobile banking apps still contained at least one critical vulnerability. In 52% of cases, attackers could exploit vulnerabilities to decrypt, intercept, or brute force accounts to access the mobile app or bypass authentication entirely. These actions would effectively give the attacker total control over the account of a legitimate user.

On average, iOS apps are better protected than Android, even when created by the same bank. High-risk vulnerabilities on iOS accounted for only 25% of total vulnerabilities, compared to 56% on Android. In some cases, the iOS mobile app was free of vulnerabilities that were found present in the corresponding Android app.