Under the blow. RBS systems

The bank today is not only a place to store money, where you can come with a passbook. Banking business has long been a high-tech industry, for the normal functioning of which requires a huge amount of equipment and software. The attitude of clients towards the bank has also changed: with the penetration of the Internet into our ordinary life, more and more people do not want to waste time in idle queuing and prefer to perform operations online. To satisfy this demand are called the systems of remote banking service.

The interest in the security of such systems is understandable, and the banks, it would seem, are working in this direction, using various means of protection (encryption, electronic digital signature, etc.). But what about the security of the RBS systems? Positive Technologies experts conducted their own research . Results under the cut.

Data for research

To prepare the report, we used the statistics of remote banking service vulnerabilities for 2011 and 2012, collected by Positive Technologies specialists during the work for a number of large Russian banks.
')
55% of the reviewed RBS systems are built on the basis of solutions supplied by well-known vendors. Less than half of the systems studied are represented by their own development (including in Java, C #, and PHP).

Common Vulnerabilities and Threats

The analysis revealed a large number of vulnerabilities of various levels of risk, with 8% of vulnerabilities having a high degree of risk, 51% of which are average, and more (41%) have a low degree of risk.



The most common vulnerabilities are associated with password policy weaknesses (82%) and weak protection against attacks aimed at finding user credentials (82%). In many systems, there is also a disclosure of information about the versions of the software used (73%), which facilitates the planning of attacks on a vulnerable system. Among the vulnerabilities in the code level of a web application, flaws leading to cross-site scripting (64%) are widespread, which makes it possible to launch attacks against users (for example, using social engineering methods).

The most common vulnerabilities have medium and low risk levels. However, the combination of such drawbacks, as well as the presence of critical vulnerabilities typical for a particular system, can lead to serious consequences, including full control over the system.



In more than 70% of cases, it was found that an attacker could either gain access to the operating system or DBMS of the DBO system at the server level, or conduct unauthorized transactions at the individual user level. Vulnerabilities leading to the realization of such threats are present both in systems of our own design and in systems provided by vendors.

findings

The degree of protection of RBS systems is higher than the average for other applications that Positive Technologies specialists face, and critical vulnerabilities (RCE, SQL Injection) are not as common in them. But despite this, a combination of non-critical security errors can still lead to the fact that the attacker is able to bypass the anti-fraud system and perform unauthorized transactions.



It can be noted that the situation with patch management in the banking sector is better than is commonly thought. Much bigger problems are observed in configuration management: 34% of the systems studied are configured incorrectly. In addition, the prevalence of security problems associated with the shortcomings in the implementation of protection mechanisms and vulnerabilities at the code level of a web application suggests the need for a more thorough analysis of the application security, both at the level of requirements for security functions and at the level of requirements for development security codes).



We will be happy to answer your questions. Thanks for attention!

The full version of the research report can be found on the website of Positive Technologies.