Leaky Bank Websites Let Clickjacking, Other Threats Seep In
Banks' websites are as full of security holes as Swiss cheese, according to at least two recent research reports.
In fact, one report, from security vendor Trend Micro, has actually named a complex type of online banking attack taking place in Austria, Switzerland, Sweden and Japan "Emmental," after the Swiss cheese.
But it's research from a company that does not sell security software or services, Sycorr, that is the most disconcerting. In tests of more than 11,000 bank and credit union websites, the company found that 97% of the sites do not prevent a type of fraud called clickjacking. It also found that 44% don't use secure sockets layer, or SSL, a commonly accepted means of encrypting website sessions.
In clickjacking, an attacker tricks users into clicking on a fake web page layered on top of the page they think they're in, such as a bank website page. The fake page can then collect confidential information such as online banking credentials.
"The fix is relatively simple and if it was my site or that of an affiliate, I would act to ensure it was in place," said Alphonse Pascual, practice leader for fraud and security at Javelin Strategy & Research.
Clickjacking can be prevented with the insertion of one line of code in a website: X-Frame-Options: DENY. The very largest banks, such as Wells Fargo, do prevent clickjacking, but many small banks have yet to make the fix, according to Sycorr's research.
Still, Pascual argues that the 97% figure could be misleading, as most U.S. deposits reside with relatively few banks, and large banks for the most part do have clickjacking protections in place. "The message would be more meaningful if this was a common problem with larger, well known institutions as opposed to thousands of what are likely to be smaller, community banks and credit unions," he said.
To be sure, clickjacking is not new, nor has there been much of this type of fraud reported in the financial services industry.
But Jeremy Neuharth, the co-founder of Sycorr, said he believes it will eventually cause headaches for banks. "Right now fraudsters are using other attacks that are easier, but not it's not much further down the list before they're going to hit this one," Neuharth said.
Overall, online banking fraud remains a major concern. Corporate account takeover fraud alone is expected to exceed half a billion dollars this year globally, according to Julie Conroy, research director at Aite Group.
OWASP, an organization that maintains best practices around basic web security, has suggested 10 basic security measures that should be applied to all websites, including mechanisms that would prevent clickjacking.
In Sycorr's analysis of financial institution websites, it found that many of the basic OWASP requirements were not being met. The company says it did not set out to uncover security flaws, but to benchmark the industry on website best practices to find areas its clients could strengthen to perform better than the competition, said Jeremy Neuharth, co-founder of Sycorr. It tested banks' websites for things like search engine placement, social media, responsive and mobile design support, and basic web security and began to see patterns in the data.
"When we found out that high numbers of financial institutions were not following even OWASP basic stuff, we knew this was bigger than ourselves and we had to get the message out to the industry," Neuharth said. "This is one of the major reasons why we put the fix [for clickjacking] right on our website, it is easy and everyone should be doing it."
One could argue that a bank's public-facing website is more or less an online marketing brochure, and strict security is not that essential. After all, banks do tend to apply more security to their online banking pages.
But security on the public site still matters. Even if a bank normally doesn't let users log in to online banking from their home page, clever hackers could add the login section to their fake, overlaid page with language saying it's a new convenience for customers.
"Most phishers or scammers are going to want to do something quick and easy, and putting your website in a frame takes only one line of code," said Max Pool, the other co-founder of Sycorr. "It takes three seconds to do." Sycorr's own developers created clickjacking malware within a day.
The lack of SSL on almost half of banks' sites increases the possibility that a malicious actor could intercept a web session between a customer and his bank and glean online banking credentials. Or it could lead to a more subtle form of social engineering: if a customer is looking at his bank wealth management account on his laptop at a coffee shop and a hacker is sniffing the wireless network, that person could see that site activity and follow the customer home, assuming the person is wealthy.
The Emmental online banking attack, which Trend Micro explained in a report it issued this week, takes advantage of the single-session tokens some banks use to authenticate online banking users, by sending a one-time passcode through SMS text message.
This type of attack, which has not been discovered in the U.S. yet, starts with a fake email that appears to be from a popular brand and entices the user to click on an attachment, for instance by calling it an order receipt. The attachment includes malware that changes the user's computer settings to give the hackers control over Internet travels such that when the users try to access a banking site, they are redirected to a malicious server, which then tricks them into typing in their user name and password. Trend Micro's conclusion is that single-session tokens are ineffective.
In isolation, no security mechanism is effective, observers say. As long as online banking exists, there will be those who try to break into it any way they can.