The most widespread vulnerabilities in the systems of internet banking are related to the drawbacks of password policies (82%) and weak protection from attacks aimed at breaking users’ login details.
Many systems also contain the information about the version of software in use (73%), which makes the attack on the system easier. Among the vulnerabilities of the web-application’s code level there are drawbacks that may lead to inter-website execution of scripts (64%) which makes attacks on users easier (for example, by means of social engineering). The most widespread vulnerabilities have average or low level of risk. However, combination of these drawbacks and presence of individual critical vulnerabilities for specific systems may lead to serious consequences, including complete control over the system.
As told by Sergey Gordeychik, deputy general manager of Positive Technologies «in search of compromise between security and convenience, the developers often choose the latter, because the users of internet banking often find it hard to remember and use difficult passwords. Overall, we believe that authentication by means of entering the password does not correspond to modern security requirements. When it comes to Bruteforce, it is applied not only to passwords, but also identification number, account or card number, cvv/cvc, CAPTCHA, etc. In addition, the development of internet banking for mobile devices often requires simplification of interface and developers sometimes neglect certain defensive mechanisms».
According to the research, in more than 70% of cases perpetrators are able to access operational system or data base management system of the internet banking at the server’s level or carry out transactions for individual users. Vulnerabilities that lead to such threats exist both developed internally and by contractors. Often to carry out illegal transaction at the user level the perpetrator only needs several mid-level vulnerabilities. This means that the absence of critical vulnerabilities does not guarantee sufficient protection of the system.
According to the results of the research it is possible to get access to operational system or database management system of the server in every third case and in the number of cases it is possible to get complete control over them. Another 37% of database management systems allow carrying out of unauthorized transactions at user level. Among the vulnerabilities discovered by database management systems experts there were 8% of high-level vulnerabilities, 51% of average vulnerabilities and 41% of low-level vulnerabilities.
According to Evgeniya Potseluyevskaya, the head of analytical group at the analysis department of Positive Technologies company, bank take measures in order to prevent bruteforce of passwords to users’ accounts, but these measures are often insufficient. In all the studied systems particular limitations for password choice did exist, but it was not enough. Every fifth system required the minimal length of password to be 6 symbols. Several years ago it was enough, but in modern conditions the password of such length can be broken quite fast. It is recommended that the length of the password was at least 8 symbols.
Author: Inna Kudrina
Source: http://digit.ru/internet/20131021/406990966.html#ixzz2jw7GGOow
RIA Novosti
