Bank websites have become a complex mixture of applications assembled by third-party providers, giving customers plenty of services but also opening a front door for hackers seeking entry into bank networks.
Security teams have gone to great lengths the past decade or longer to protect bank networks with firewalls, identity management and layers of defense. But ensuring every app on a home page isn't vulnerable presents new challenges.
Fraudsters have attacked web applications that interact with bank customers' browsers to infect websites with malware. Such web apps do things like manage ads, run chatbots and track customer behavior.
Once hackers infiltrate a bank’s network through its website, they can do any number of things, including finding sensitive data and stealing it or injecting ransomware or other malware into the bank’s network.
"The front door of a bank website is the new back door for fraud," said Ivan Tsarynny, CEO of Toronto-based Feroot Security, which protects web applications against attacks and compliance violations. "It is a trend we are seeing and a change that is definitely happening now."
When customers log into their bank website, different scripts are loaded into the browser, the bank and its security team would know who those customers are and other information about them, such as where they are logging in from.
"It's supply chain code that changes with every user" and it needs better protection, Tsarynny said.
"What is new now is when your browser loads a page, the page is composed of Javascript elements and every single script has an ability to load any other scripts into the user session," Tsarynny added. "That includes those from third-party servers."
Once inside a website, a fraudster can record a customer session and send that information to a third-party server the customer is not aware of.
"The fraudster can do this without going through the back-end system," Tsarynny said. "Back-end security measures are good at protecting the default app itself, but not the client-side code that is loaded by the browser."
It’s a growing problem. According to research from Imperva Research Labs, a San Mateo, California-based data security firm, in the first half of 2021, the number of
The nonprofit
As such, bank website security has become increasingly important as the number of customers logging in continues to rise. An online survey of 2,201 adults last month from the
"Website applications are constantly under construction and their security state is a moving target," said Tari Schreider, senior analyst with Aite-Novarica Group.
"The industry has just become numb to hearing about all of their website vulnerabilities," Schreider said.
Financial institutions tend to focus on high-risk vulnerabilities, while most passive scanning exposes low-risk vulnerabilities, Schreider noted. "There is a cautionary tale here that a low-to-medium risk can become a high-risk vulnerability over time."
Hackers target websites because they are "the gateway to the organization's crown jewels," Schreider added. "This draws fraudsters to them like paparazzi to a Hollywood star — everyone knows their identity and where to find them."
Banks are aware of this danger, but their heavily modified code creates too many cracks for hackers to slip in, Schreider said. "Security is a full-time activity and, aside from the largest of the financial institutions, most firms cannot allocate the resources necessary to do security properly."