
Under the blow. RBS systems

The interest in the security of such systems is understandable, and banks, it would seem, are working in this direction, using all kinds of security tools (encryption, electronic digital signature, etc.). But what is really the case with the safety of remote banking systems? Positive Technologies experts conducted their own research . Results under the cut.
Research data
To prepare the report, vulnerability statistics of remote banking systems for 2011 and 2012, collected by Positive Technologies specialists during work for a number of large Russian banks, were used.
55% of the examined RBS systems are built on the basis of solutions supplied by well-known vendors. Less than half of the systems studied are represented by their own developments (including, in Java, C # and PHP).
Common Vulnerabilities and Threats
The analysis revealed a large number of vulnerabilities of various risk levels, with 8% of vulnerabilities having a high degree of risk, 51% of medium vulnerabilities, and a greater number of vulnerabilities (41%) having a low degree of risk.

The most common vulnerabilities are associated with weak passwords (82%) and weak protection against attacks aimed at selecting user credentials (82%). In many systems, there is also disclosure of version information of the software used (73%), which facilitates the planning of attacks on a vulnerable system. Among the vulnerabilities in the code level of a web application, shortcomings leading to cross-site scripting (64%) are widespread, which makes it possible to conduct attacks on users (for example, using social engineering methods).
The most common vulnerabilities have medium and low risk levels. However, a combination of such shortcomings, as well as the presence of critical vulnerabilities specific to a particular system, can lead to serious consequences, including gaining full control over the system.

In more than 70% of cases, it was found that an attacker could either gain access to the operating system or DBMS of the RB system at the server level, or conduct unauthorized transactions at the individual user level. Vulnerabilities leading to the implementation of such threats are present both in proprietary systems and in systems provided by vendors.
conclusions
The degree of security of RBS systems is higher than the average for other applications that Positive Technologies specialists have to deal with, and critical vulnerabilities (RCE, SQL Injection) are not so common in them. But despite this, a combination of non-critical security errors can still lead to the fact that the attacker gets the opportunity to bypass anti-fraud systems and commit unauthorized transactions.

You may notice that the situation with patch management in the banking sector is better than is commonly thought. Much bigger problems are observed in configuration management: 34% of the investigated systems are configured incorrectly. In addition, the prevalence of security problems associated with deficiencies in the implementation of protection mechanisms and vulnerabilities in the web application code level suggests the need for a more thorough analysis of application security - both at the level of requirements for security functions and at the level of development security requirements (including analysis of codes).

We will be happy to answer your questions. Thanks for attention!
The full study report is available on the Positive Technologies website .