Hackers zero in on bank websites' third-party apps

Bank websites have become a complex mixture of applications assembled by third-party providers, giving customers plenty of services but also opening a front door for hackers seeking entry into bank networks.

Security teams have gone to great lengths the past decade or longer to protect bank networks with firewalls, identity management and layers of defense. But ensuring every app on a home page isn't vulnerable presents new challenges.

Fraudsters have attacked web applications that interact with bank customers' browsers to infect websites with malware. Such web apps do things like manage ads, run chatbots and track customer behavior.

Security experts say hackers are increasingly trying to break into banks' networks through their websites.

Once hackers infiltrate a bank’s network through its website, they can do any number of things, including finding sensitive data and stealing it or injecting ransomware or other malware into the bank’s network.

"The front door of a bank website is the new back door for fraud," said Ivan Tsarynny, CEO of Toronto-based Feroot Security, which protects web applications against attacks and compliance violations. "It is a trend we are seeing and a change that is definitely happening now."

When customers log into their bank website, different scripts are loaded into the browser, the bank and its security team would know who those customers are and other information about them, such as where they are logging in from.

"It's supply chain code that changes with every user" and it needs better protection, Tsarynny said.

"What is new now is when your browser loads a page, the page is composed of Javascript elements and every single script has an ability to load any other scripts into the user session," Tsarynny added. "That includes those from third-party servers."

Once inside a website, a fraudster can record a customer session and send that information to a third-party server the customer is not aware of.

"The fraudster can do this without going through the back-end system," Tsarynny said. "Back-end security measures are good at protecting the default app itself, but not the client-side code that is loaded by the browser."

It’s a growing problem. According to research from Imperva Research Labs, a San Mateo, California-based data security firm, in the first half of 2021, the number of web application incidents in financial services rose 38% from 11.7 million to 16.1 million in the U.S. compared to the first half of 2020. The incidents were attacks of all kinds on banks’ websites that were thwarted.  

The nonprofit Online Trust Alliance conducted an anonymous security audit of more than 1,000 websites of some of the largest banks in the U.S. last year and found that 65% of those banks failed web security testing. 

As such, bank website security has become increasingly important as the number of customers logging in continues to rise. An online survey of 2,201 adults last month from the American Bankers Association indicated customer use of mobile apps for banking rose from 33% before the pandemic to 44% and online access increased from 24% to 26%.

"Website applications are constantly under construction and their security state is a moving target," said Tari Schreider, senior analyst with Aite-Novarica Group.

"The industry has just become numb to hearing about all of their website vulnerabilities," Schreider said.

Financial institutions tend to focus on high-risk vulnerabilities, while most passive scanning exposes low-risk vulnerabilities, Schreider noted. "There is a cautionary tale here that a low-to-medium risk can become a high-risk vulnerability over time."

Hackers target websites because they are "the gateway to the organization's crown jewels," Schreider added. "This draws fraudsters to them like paparazzi to a Hollywood star — everyone knows their identity and where to find them."

Banks are aware of this danger, but their heavily modified code creates too many cracks for hackers to slip in, Schreider said. "Security is a full-time activity and, aside from the largest of the financial institutions, most firms cannot allocate the resources necessary to do security properly."

For reprint and licensing requests for this article, click here.
Cyber security Bank technology
MORE FROM AMERICAN BANKER