Russian web-based banking apps are all vulnerable to attacks from the outside, making it possible to access clients’ personal details and secret banking information. More than half (54%) of these applications expose client’s money to be stolen.
The report characterizes the protection of 61% of such web applications as “low” or “very low.”
This are some of the findings of a study recently completed by Positive Technologies, a leading global provider of enterprise security solutions, headquartered in Moscow.
The Financial Sector Computer Emergency Response Team (FinCERT) of Russia’s Central Bank said such vulnerabilities have already been actively exploited by intruders. In 2018, according to FinCERT, 1.47 billion rubles (more than $23 million) was stolen from the accounts of corporate clients of Russian banks as a result of some 6,100 attempts to perform illegal transactions, the business daily Kommersant reported.
In 46% of the cases, the intruders managed to withdraw the money by getting access to Russian banks’ web applications with the help of malware.
“This means that intruders can learn the numbers of banking cards, view existing templates and in some cases even edit them,” said Yaroslav Babin, who heads the banking systems security research team at Positive Technologies.
“For instance, if a client has a recurring automatic payment configured to top up the balance on their phone, the intruders can use a vulnerability like this to secretly change the phone number,” the expert added.
Insufficient protection against data interception, poorly implemented two-factor authentication, and the distortion of the logics of web applications were among the most common causes for vulnerabilities identified.
Security experts believe that to combat the attacks, Russian online banks should implement such measures as Secure Software Development Life Cycle (SSDLC) and Application Security.