Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Top Stories > THE EXTERNAL ATTACK SURFACE: BANKINGS NEXT SECURITY FRONTIER

THE EXTERNAL ATTACK SURFACE: BANKINGS NEXT SECURITY FRONTIER

Published by Gbaf News

Posted on May 21, 2015

4 min read

Last updated: January 22, 2026

Mobile Banking

By Ben Harknett, VP EMEA, RiskIQ

For financial institutions to prosper they need to nurture and maintain a trusted relationship with their clients and evidence a culture of stability. The dawn of the digital age has seen more pressure placed on financial institutions to make sure that trust, security and stability is paramount when customers are interacting with an institution’s digital footprint.

This footprint has been growing at an exponential rate in the banking and finance sector. It’s now common place for consumers to be interacting with banking institutions online, via mobile applications and social media.

In a recent study undertaken at RiskIQ it was revealed that on average, financial institutions have 7,500 digital assets each that are accessible in the open web or in app stores – Of these, over 60% of web assets were hosted on external servers outside the IT department’s control.This is a worrying thought given how consumers trust that every interaction they have with a financial institution should be secure.

The Mobile Banking Movement

The world is becoming ever more mobile and the banking and finance industry are embracing this by allowing customers and employees to engage with their services with greater flexibility regardless of location.

As part of the study, which looked at 35 top banks and financial institutions we uncovered 1,777 mobile applications, an average of to 51 per bank. However, only 6% of these mobile apps were found in the official app stores (Google Play, Apple App Store, Windows Phone Store, etc). The rest were scattered through a secondary tier of app distribution sites, making it difficult or impossible to tell if updates or security patches would reach customers and if they had any foreign tampering along the way.

Of those discovered, 80% of the apps required users to grant them 10 or more permissions, typically in excess of what was needed for app functionality. These permissions often grant unnecessary access to functions such as a user’s contact, email and messaging history or sometimes a recording tool.

In 2014 an average of £6.84 bn a week was transferred in the UK using mobile banking.The risk of these interactions being compromised through rogue or copycat mobile apps poses a real threat with both financial and brand consequences.

The External Attack Surface

When it comes to information security the most prominent strategy many organisations,regardless of sector, choose to follow remains an in-depth defence approach tied to the belief that the perimeter to be defended is the firm’s firewalls and internal networks.

The growing number of assets hosted outside of an organisation’s firewall present a challenge to this approach as they can no longer be managed from a security perspetive in the same way. Unsurprisingly, this external attack surface is far more expansive than the internal one, often by several orders of magnitude as the interactions between consumers and financial institutions are increasingly happening on the web, via mobile applications and on social media platforms and organisations are responding by developing new digital assets, many of which reside outside the firewall; on hosted web platforms, in mobile app stores and on social media sites.

It’s often the case that threats against an organisation’s external digital footprint can be segmented by the delivery system used to reach the user and the source of the vulnerabilities. Delivery systems include redirecting or farming websites and web assets, brand spoofing via unauthorised websites, or phishing emails. Common sources of vulnerability included software and communications security flaws, scripting languages, third-party components and libraries, and uncontrolled asset hosting which can lead to an injection of rogue or compromised assets, software bugs, etc.,

When it comes to externally hosted assets we found that 93% of Banks had assets hosted with cloud-based IaaS providers such as Amazon Web Services or Rackspace. While 94% were incorporating code from one or more third-party analytics/ tracking services which could pose a security risk. For example, Gigya was hacked by the Syrian Electronic Army (SEA) in November 2014 using a DNS redirect, leading to the website defacement of a number of well known commercial sites.

As the research shows, the modern banking industry brings with it more digital exposure and therefore more digital risk. In response, security teams need to develop an effective external threat management programme as a core component of their overall security capability. This means an “outside looking in” approach that strives to protect users of digital channels and the integrity of the digital brand in addition to protecting corporate assets.