Two weak links cyber attackers are exploring to breach banks

By Rui Ribeiro, CEO at Jscrambler

The coronavirus pandemic has brought on a lot of changes into modern society, specifically when it comes to digital transformation. If we were already headed into the digital direction pre-pandemic, these unprecedented circumstances have only further accelerated the process. From education to banking, all sectors are going through this digital transformation, providing much-needed safer alternatives to in-person interactions. But how does this new paradigm impact the cybersecurity posture of organisations? How are financial institutions adapting and what do they need to improve?

When it comes to the banking sector, the digital component has become instrumental in the economy. On this note, it was found in a recent survey that 84% of consumers expect banks to actively transform their processes and offer digital services to keep them safe. We have seen large-scale closure of physical banks, and the use of electronic payments is increasing as people make the shift from cash to digital. Due to the circumstances, there has also been a general increase in e-commerce transactions, for example, there was an 81% increase in Italy according to Mckinsey & Co. All these factors are making traditional banks shift to digital banking faster than ever.

Incumbents are embracing the democratization of financial services and launching customer-centric platforms, for example, Santander launching openBank or RBS launching Bó. Not only are we seeing traditional banks shift their processes, but we are also seeing an increase in neobanks. These banks operate exclusively online without traditional physical branch networks as is the case with Revolut, N26, Nubank, and many more. But what does all this rapid growth mean for banks in terms of security?

With all the upsides digital banking brings, also come new challenges, specifically in terms of keeping user’s data safe. The core logic of modern web banking apps and hybrid mobile banking apps is written in JavaScript, a programming language that allows development teams to shorten product release cycles. However, JavaScript requires special attention in terms of security, as it can be easily retrieved or tampered with by attackers, who can target the JavaScript source code to plan or automate data exfiltration attacks.

The majority of digital banking providers also rely on an agile product development process to be able to keep up with market demand and they often sacrifice security because of it. This race also increases the possibility of web supply chain attacks since development teams are relying extensively on third-party code. For example, we saw this issue in November of 2018 when an attacker was able to gain control of the event-stream JavaScript library, which was a third-party code dependency of Copay, a cryptocurrency wallet. This allowed the attacker to inject malicious code which harvested the credentials and private keys of Copay users. The company’s development team did not detect the malicious code immediately and released several builds of the infected application.

The Copay example is only one in many incidents that have happened over the years. These cybersecurity incidents are sadly not uncommon, especially when technology advances as fast as it has in the past few years. With this rapid mutation of digital banking solutions, we see malicious strategies also improving fast to try and keep up with the market. Companies need to be aware of this double-edged sword so that they can also focus on improving their security. Having visibility and control over their products is crucial when it comes to ensuring that their web and mobile applications are not being leveraged by attackers to siphon user data.

In conclusion, although the shift to digital transformation is bringing a lot of needed safety for users when it comes to avoiding in-person interactions, users also need protection in the digital space. Because of this, banks are required to consider the possibility of the various online threats and find solutions to keep their users’ data safe. Developing an application fast enough to keep up with other digital banking applications is not enough to provide a good user experience. The key takeaway here is that banks need to take action now and mature their client-side security to prevent breaches and be compliant with regulations. If they are able to successfully manage their client-side security, they can outpace attackers and keep their users safe.