In an application security, privacy, and compliance probe, testing firm ImmuniWeb highlighted the concerning state of security at the worlds largest financial institutions, handing only three an A+ result for SSL encryption and website security.
Switzerland's Credit Suisse, Denmark's Danske Bank, and Sweden's Handelsbanken passed with flying colours, having no single issue or misconfiguration found on their main websites. Five of the world's largest financial institutions received a fail, due to "exploitable and publicly known security vulnerabilities found".
40 organisations received an A, which meant there were "miniscule" issues found or "slightly insufficient" security hardening; 20 were given a B, with several minor issues or insufficient security hardening uncovered; while a C mark was given to 31, with those institutions' websites containing security vulnerabilities or several serious misconfigurations.
See also: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Where e-banking was concerned, 15 institutions received an A+ score; 27 an A; a B was given to 13; a C to 40; and an F, which means there were exploitable and publicly known security vulnerabilities found, was received by seven.
The SSL/TLS encryption security grades for the institution's main websites saw an increase in A+ scores, but also a larger number of fails. A+ was given to 25; A to 54; B to seven; one received a C; but 13 failed due to having no encryption and/or SSLv3 or exploitable security vulnerabilities found.
SSL/TLS encryption security grades for the e-banking web applications were a lot better, with 29 given a top score and only two failing.
Only 39 financial institutions passed the GDPR main website compliance test, and a total of 2,081 subdomains failed. 17 e-banking websites passed the GDPR compliance tests.
Read more: Data security is a major issue in GDPR compliance
ImmuniWeb said that on average, each website contained two different web software components, JS libraries, frameworks, or other third-party code. As many as 29 websites contained at least one publicly disclosed and unpatched security vulnerability that was classed as a medium or high-risk.
The oldest unpatched vulnerability detected during the research was CVE-2011-4969 impacting jQuery 1.6.1, which has been known since 2011. ImmuniWeb said the most popular website vulnerabilities were XSS (Cross Site Scripting, OWASP A7), Sensitive Data Exposure (OWASP A3), and Security Misconfiguration (OWASP A6).
"With regard to the subdomains, the situation is even more disastrous with outdated components: 81% of the subdomains that contain fingerprintable external software have outdated components and 2% contain publicly disclosed and exploitable vulnerability of medium or high risk," the company wrote.
ImmuniWeb said 100% of the banks it looked into also had security vulnerabilities or issues related to forgotten subdomains.
The company also said of 29 active phishing campaigns it detected, most of the malicious websites were hosted in the US, with Wells Fargo customers targeted by seven, Bank of America customers hit by eight, and JP Morgan Chase customers being hit by three. JP Morgan Chase was targeted by a total of 227 phishing campaigns.
The probe extended to mobile banking applications, with ImmuniWeb reporting that 55 banks allowed access to sensitive banking data. In total, these mobile apps communicated with 298 backend APIs to send or receive data from their respective banks.
Calling the findings "quite disturbing", ImmuniWeb reported that 100% of mobile banking applications contained at least one low-risk security vulnerability, 92% had at least one medium-risk security vulnerability, and 20% contained at least one high-risk vulnerability.
"Given the non-intrusive methodology of our research, as well as important financial resources available to the banks, the findings urge financial institutions to rapidly revise and enhance their existing approaches to application security," ImmuniWeb CEO and founder Ilia Kolochenko said.