Security Issues for 50 of the Biggest Banks are Revealed
NEW YORK ( MainStreet) As the FBI warns that hackers have been infiltrating the computers of U.S. government agencies for more than a year , and with the Adobe breach reported last month now affecting some 38 million customers, along with the gaping security holes plaguing Healthcare.gov, perhaps all we can do is simply strike the pose of a befuddled Alfred E. Neuman and say "What, me worry?"
But, there's more: a security firm in Switzerland has just compiled a comprehensive list of the website hack attacks that have threatened the world's largest banks. Ilia Kolochenko is the CEO of High-Tech Bridge, a security services company headquartered in Geneva that collected the data.
"We didn't discover these vulnerabilities ourselves, as testing banks' websites without their initial permission may be illegal," Kolochenko is careful to note. "The vulnerabilities we have reported in our research were discovered by different, mostly anonymous, security researchers and publicly exposed."
Basically, High-Tech Bridge simply looked where hackers like to hang their trophies.
"We searched two major web hack archives (xssed.org and zone-h.org) where attackers report or, as they say, 'create mirrors' of compromised websites to 'perpetuate' their hacks and get some glory and respect in the hacking community," Kolochenko tells MainStreet. "The presence of a bank website on xssed.org means that its website had at least a medium-risk vulnerability," he says. "While a presence on zone-h.org means that the entire bank's website was compromised, and quite probably that a lot of confidential and sensitive information were stolen by hackers -- such as databases with customer and/or banking information, etc."
Besides these two "hall of fame" hacker archives, the security firm also searched for information regarding compromised or vulnerable banking websites on various security and hacking websites, forums and blogs.
Bank of America, JP Morgan Chase, Wells Fargo and Citigroup are all on the list with at least one security incident reported some having as many as a dozen or more. In all, fifty websites were analyzed and 102 publically exposed incidents within the past ten years were discovered. Nearly one-quarter (22%) of the websites had been exposed to critical security breaches.
Some of the security events reveal efforts of social engineering (e.g. phishing) attacks -- an effort to compromise e-banking accounts or steal sensitive information available on a bank website. Many of the security breaches were used for drive-by attacks to compromise the computers of a website visitor, converting the machines into "zombies" by compelling the victim to simply open the vulnerable website.
A few of the bank websites were hacked by attackers that could very likely access the databases behind a bank's website, gaining extremely sensitive data.
However, Kolochenko says it's what we don't know that should really worry us. He says reports of financial institution security issues have actually declined this year and that's not a good thing.