Javelin: Nearly One in Two Large Banks Unprotected Against Hijacking of Online Customer Interaction
Javelin Evaluates Security Offered By Web-Facing Applications Of The Top 24 U.S. Financial Institutions
San Francisco, CA, – Javelin Strategy & Research (www.javelinstrategy.com) today issued a report evaluating the security of online customer interaction at the 24 largest U.S. financial institutions, with a focus on protection of private data during customer inquiry or enrollment. Javelin’s latest primary research reveals that 46% of top banking institutions have an opportunity to more fully protect “contact us”, “help”, or other interaction pages against criminal hijacking. Javelin also published a companion report that introduces a risk-based priority model for Web applications, allowing banks to improve the results of security spending in the challenging economy.
The first report, titled U.S. Online Channel Security: an Assessment of the 24 Top Financial Institutions, analyzes the home and log-in page security at the top 24 U.S. financial institutions, for SSL/TLS or EV-SSL encryption, which are critical security-attributes to guard against compromise by insertion of incorrect links or information. In this report Javelin also researched online banking enrollment procedures for existing customers and examined the protections associated with the retrieval of lost or forgotten usernames and passwords.
“We were surprised to find so many banks overlooking this potential area of exploit” said James Van Dyke, President and Founder. “A cross-site scripting flaw on a customer-facing Web site could allow criminals to access the internal network or at the very least, insert counterfeit content alongside legitimate content on a site and redirect customers to a fraudulent third-party site. For financial institutions, it’s all about shoring up even the most seemingly-innocuous areas of risk.”
In the companion Javelin report, Improving Web Application Security Using New 2010 OWASP Top 10 Risk Model: Best Practices for Mitigating Online Vulnerabilities and Threats, Javelin presents a model that identifies the risks organizations face today based on the OWASP model. The model demonstrates how to weigh vulnerabilities under the new system and set mitigation priorities. The report also integrates the latest attack data from the Web Hacking Incident Database and compares what’s happening with vulnerability data from the Web Application Consortium’s October 2009 annual report.
“These reports are a how-to guide for improving Web site vulnerabilities, with focus on customer interaction and effective use of finite security resources” said Mary Monahan, Research Director and Managing Partner. “Instead of being reactive and responding to the volumes of attacks, the security community can risk-weight and strengthen vulnerable areas specific to each institution, while integrating best-practice models such as the proposed 2010 OWASP Top 10.”
Key Findings
U.S. Online Channel Security – An Assessment of the 24 Top Financial Institutions:
- One in five sites uses easy-to-guess authentication information such as date-of-birth, e-mail addresses, and ZIP codes.
- Just one in four banks minimizes data exposure by truncating Social Security numbers during enrollment, with as many providing alternatives to SSN for enrollment or username and password retrieval.
- Mystery-shopping research reveals that many banks are struggling with best practices around sensitive records such as bank account PIN and ATM numbers.
- Just one in four sites required users to choose a new password longer than six digits.
- Over nine in ten use generic error messages when a customer’s login fails, but one in ten still gives specific information that can be used in a brute force attack.
- SQL injection, followed by cross-site scripting, are the top two risks faced by businesses, according to the new proposed OWASP model.
- Security mis-configuration as well as unvalidated redirects and forwards are now among the top-10 risks that businesses face with their Web applications.
- Malicious file execution as well as information leakage and improper handling are no longer among the top-10 risks.
Javelin provides superior direction on key facts and forces that materially determine the success of customer-facing financial services, payments and security initiatives. Our advantages are rigorous process, independent position, and expert people. For more information about this or other Javelin reports, please visit www.javelinstrategy.com/research or contact Elizabeth Travers at (925) 225-9100 ext. 31 or etravers@javelinstrategy.com.
Editor’s Note: To arrange an interview with Mr. Van Dyke, Ms. Monahan and/or view research on this topic or a similar topic (available to qualified members of the press), please contact Crystal Mendoza at +1.925.225.9100 ext. 35 or cmendoza@javelinstrategy.com.
