The company tested a variety of websites using a proprietary tool they developed in-house, which scans websites for security flaws. While flaws were found across a wide range of industries, literally every banking site Positive Technologies tested was found to have serious security flaws.
The particulars varied from one bank to the next, but the security flaws included:
- XML external entity errors
- Arbitrary file reading and modification flaws
- Expired or nonexistent SSL certificates
- Poor or nonexistent encryption
Some banking websites were so flawed that a hacker could execute a ‘man in the middle’ attack and execute malicious code to infect the user’s machine. They could potentially make off with all their money and with more than enough information to steal their identity.
Some 80 percent of sites tested were found to be vulnerable to XSS (cross-site scripting) attacks.
Regardless of the specific vulnerability, the big, terrifying takeaway from the Positive Technologies report is simply this: Of the financial sites they tested, 100 percent of them were found to have vulnerabilities.
These are the people who are tasked with safeguarding your money, and they’re obviously not doing enough to keep their websites secure.
Firewalls and basic detection protocols are simply not enough. The hackers of the world have matured and gotten better at what they do, and security professionals simply haven’t been improving as quickly. This is the reason we’re seeing such a massive spike in high profile data breaches. The reason is that each year is a new, record-breaking year, beating out the one before, often by a wide margin.
Until that changes, everyone is at risk. Given how important the internet has become to international commerce and modern life, that’s simply unacceptable.