One in five big banks has faced “high risk” security incidents via web apps

Half of the 50 biggest banks have faced security incidents affecting their web applications. Fifteen per cent of those incidents were classified as “high” or “critical” risks, a new study has revealed.

The research was carried out by Swiss IT services firm High-Tech Bridge, and found that 11 bank sites had faced serious incidents in the past eight years, according to Computer World.

High-Tech Bridge claim that research by Frost and Sullivan shows that three out of four network intrusions are the result of insecure web applications. The company acknowledges that its data does not include information on DDoS attacks or phishing – threats commonly faced by banks.

The Swiss firm published its research, based on publicly available data, to coincide with a “cyber war game” testing the defenses of Britain’s investment banks. The firm was involved in testing security for some of these institutions, according to CEO Ilia Kolochenko, interviewed by the London Evening Standard.
Most bank sites had faced low- or medium-risk incidents involving their web applications, usually involving cross-site scripting vulnerabilities.

Ilia Kolochenko, High-Tech Bridge CEO, says: “The numbers we see are quite impressive, even though our research only covered publicly-known security incidents and we didn’t take into account the more common DDoS attacks or phishing campaigns as they do not involve security of web application directly.
“The statistics confirm that even financial institutions should pay more attention to their web application security, not only to protect their customers but to maintain their digital reputation. The fact that there are few security incidents publicly exposed in 2013 does not necessarily confirm that web applications are becoming more secure. It’s more about new objectives of hackers – today they are not looking for glory but for profit, therefore don’t make any noise and compromise web systems without being noticed.”
A ‘war game’ scenario on Tuesday, reported by We Live Security tested thousands of banking staff across London’s investment banks against the ‘worst case scenario’ – a major cyber attack on stock exchanges, among other scenarios.The simulation – ‘Waking Shark II’ is one of the largest exercises of its kind ever organized in the world, according to a report by Reuters. The exercise also simulated other scenarios, such as how banks ensure the availability of cash from ATM machines.

The “game” was organized by the Bank of England, the Treasury and Britain’s Financial Conduct Authority and follows a similar exercise two years ago.

In September, Scott Borg, chief of the U.S. Cyber Consequences Unit, said that he believed manipulation of the financial markets would be the next major target for cybercriminals, according to Computer World.

More than half of securities exchanges around the world faced cyber attacks last year, according to a paper released by the International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges (WFE), according to an earlier We Live Security report.

“The number of high profile and critical ‘hits’ is also increasing,” says the IOSCO report. The report warns that underestimation of the severity of this emerging risk may lay open securities markets to a black swan event.”

A survey of 46 exchanges around the world found that 53% had faced cyber attacks – mostly disruptive in nature, rather than financially motivated, and mostly consisting of malware or DDoS attacks. Nearly all – 89% – of those surveyed agreed that cybercrime should be considered a systemic risk.