Vulnerabilities of online banks 2016: authorization problems lead
Since the remote banking service (RBS) systems are publicly accessible web and mobile applications, they are characterized by all vulnerabilities known in the area of ​​application security, as well as threats related to the specifics of the banking sector: cash theft, unauthorized access to payment card data , personal data and bank secrecy, denial of service and other threats, the implementation of which can lead to significant financial and reputational losses.
This report contains statistics collected in the course of work on the analysis of the security systems of RB, conducted by the specialists of the company Positive Technologies in 2015, as well as a comparison with the results of studies of past years.
As part of the study, 20 RBS systems were considered, including several financial services developed in 1C, which are characterized by the same IS threats as for remote banking systems. The review includes only those RBS systems for which the most complete analysis was carried out taking into account the logic of their functioning. Most of the systems studied (75%) are designed to serve individuals. 35% of the systems are mobile solutions represented by the server and client side.
')
65% of systems are privately developed by banks. In most cases, the Java programming language was used, and only 8% of applications were written in 1C. The remaining systems are deployed on the basis of platforms of well-known vendors. In accordance with the policy of responsible disclosure, the names of manufacturers are not indicated in this report.
Most of the systems (75%) were in commercial operation and were accessible to customers, the rest were test benches ready for conversion into commercial operation. 57% of RBS systems provided by well-known vendors were in commercial operation.
During the analysis of the security of the RBS systems, each application identified security flaws. A total of 171 vulnerabilities were identified. Most of them are characterized by a low degree of risk (39%). The overall share of high-risk vulnerabilities this year was 30%, about the same as the average (31%). Compared to the results of 2013–2014, the overall share of critically dangerous vulnerabilities decreased markedly (by 14%).
However, the level of protection of RBS systems as a whole remains at a rather low level: critically dangerous vulnerabilities are found in almost every online banking (90%), which is significantly worse than the level of 2013-2014.
Distribution of systems according to the maximum risk level of detected vulnerabilities
The most frequent (55%) in the RBS systems were vulnerabilities that allowed unauthorized access to user data. This category mainly includes authorization failures. In second place (50%) - “Insufficient session protection” (incorrect termination of user sessions, incorrect setting of cookie parameters, possibility of parallel work with several active sessions for one user, no session binding to client’s IP address).
Unlike in previous years, in 2015, two of the RBS systems investigated revealed a vulnerability due to the lack of current security updates (CVE-2015-1635). The vulnerability was caused by errors in the HTTP.sys component that implements the HTTP protocol stack and is susceptible to Windows-based OS (see Microsoft Security Bulletin MS15-034). The exploitation of the vulnerability is in the formation of a special HTTP-request and may lead to a denial of service to the system under attack or the execution of arbitrary code.
Rating of the most common vulnerabilities of RBS systems (proportion of vulnerable systems)
The study identified the most dangerous threats that could potentially be implemented in relation to RBS systems, taking into account the set of vulnerabilities identified during the analysis. Thus, in one of the RBS systems studied, the possibility of the user’s funds being stolen as a result of the exploitation of a combination of vulnerabilities of various categories (insufficient session protection and shortcomings of the implementation of two-factor authentication mechanisms) by an outsider was revealed.
The study revealed that in relation to 25% of the RBS systems studied, such threats as theft of funds by an authorized user can be realized. The intruder can use, in particular, attacks on rounding, unauthorized access to the operations of another user, and in some cases, the “Implementation of SQL statements”. As a result of such actions, banks may suffer substantial financial losses, as well as lose the reputation of a reliable partner.
In every second project (55%), the possibility of unauthorized access to the DBMS, in which personal data of users, payment card data, and financial information was stored, was revealed.
Realizable threats to information security of RBS systems
All the RBS systems for legal entities studied were exposed to dangerous vulnerabilities, and among the systems for individuals such were 87%. At the same time, in 2015, in the RBS systems for legal entities, the number of medium-risk vulnerabilities per system increased several times. The level of protection of RBS systems for legal entities has significantly decreased, and for individuals it has remained at the same low level.
The average number of vulnerabilities of different levels of risk per system for individuals and legal entities
In systems acquired by banks from well-known vendors, the proportion of vulnerabilities associated with errors in the program code was higher than in the systems developed by banks (40% vs. 28%). At the same time, a higher percentage of configuration vulnerabilities were detected in proprietary systems (35% vs. 27%). In past years, such vulnerabilities among DBO vendors were half as much (14%).
Compared to previous years, the number of high-risk vulnerabilities in RBS systems provided by vendors has almost halved. However, all such products are subject to critically dangerous vulnerabilities.
In addition, the RBS systems supplied by specialized companies, on average, contain 1.5-2 times more vulnerabilities than their own systems. This is not surprising, since the own remote banking systems are designed for a specific architecture and have the functionality set by the bank, which makes them simpler and, as a result, less vulnerable. However, the transition from the systems of well-known vendors to their own development also does not guarantee that the system being created will be completely protected.
Distribution of vulnerabilities by degree of risk for systems provided by different categories of developers (share of the total number of vulnerabilities)
The total number of vulnerabilities of various categories in productive systems in 2015 is noticeably lower than in test ones. This demonstrates the positive performance of banks in ensuring the protection of applications in operation. However, the level of protection of productive RB systems cannot be considered high: in almost all such systems, critical vulnerabilities have been identified. 40% of all vulnerabilities of RBS systems that are already in operation are critically dangerous. According to this indicator, they are even worse than the test ones.
Ratio of vulnerabilities of various levels of risk in test and productive systems (share of the total number of vulnerabilities)
The predictable format of identifiers is characteristic of all RBS systems, while only 60% of the systems have the opportunity to change such an identifier.
Two-factor authentication when logging into your personal account and conducting transactions can significantly reduce the risk of theft of funds from user accounts, but the share of RBS systems is still large, where such mechanisms are not provided at all (24%) or are implemented incorrectly (29%). Almost every second proprietary system (45%) is vulnerable, and even in the RBS systems provided by vendors there are such flaws (33%).
In addition, every third RB System (35%) does not provide sufficient protection for the session from being intercepted and subsequently used by the attacker.
Percentage of systems affected by authentication mechanism vulnerabilities (for various categories of developers)
Mobile RBS systems running iOS still have a higher level of security compared to systems for Android, where 75% of the studied applications are subject to critical vulnerabilities. However, a third of the vulnerabilities found in iOS applications are characterized by a high degree of risk. These shortcomings are associated with the storage and transmission of important data in the clear.
Shares of client software of mobile systems of remote banking service exposed to vulnerabilities of various degrees of risk
Each Android-based application contains 3.8 vulnerabilities, which roughly corresponds to the level of 2013 and 2014 (3.7). For iOS applications, this parameter is 1.6, which is significantly better than the result of previous years, when each application had 2.3 vulnerabilities.
The most common mobile software client vulnerabilities
Despite the fact that the most common vulnerabilities of mobile RB systems are characterized by a medium degree of risk, in some cases the identified deficiencies in the aggregate made it possible to implement serious security threats. For example, an incorrect implementation of the short PIN entry mechanism together with the session identifier device storage in the file system allows an attacker with physical access to this device to substitute the web server’s response so that any attempt to enter the PIN incorrectly will return the server value true. As a result of a successful attack, an attacker can take complete control of the attacked user's personal account, including changing settings and performing transactions on his behalf. Also in one of the projects, the intruder could get access to the user's mobile banking due to insufficiently secure data transfer. In this case, the system allowed the use of self-signed certificates when transmitting information via the HTTPS protocol.
The level of protection of RBS systems remains low, despite the reduction in the total share of critical vulnerabilities among all the identified deficiencies compared with previous years.
The low security of remote banking systems in operation clearly demonstrates the need to implement security processes at all stages of the application life cycle. System security analysis should be carried out not only at the stages of application development and before putting the system into operation, but also during its active use by bank customers. Moreover, such an analysis should be carried out on a regular basis (for example, twice a year) with control to eliminate the identified deficiencies.
RBS systems purchased from vendors should be given special attention: they are often more susceptible to vulnerabilities than the systems developed by banks. In addition, it is recommended to use preventive protection tools, such as an application-level firewall.
To gain access to the user's personal account, it is sufficient for an offender to use long-known and common vulnerabilities (for example, insufficient session protection). It is necessary to pay special attention to the correct implementation of protection mechanisms. You should also implement secure development processes, ensure comprehensive testing of system security during acceptance of work. As a basis for the implementation of processes for ensuring information security of RBS systems at all stages of the life cycle, recommendations issued in 2014 by the Bank of Russia to the RS BR IBBSE-2.6-2014 can be used.
Given the high proportion of critical vulnerabilities at the code level of web applications, it is necessary to conduct regular checks of its quality, for example, by conducting a white box security analysis (including using automated tools).
Read the full text of the study at www.ptsecurity.ru/research/analytics
This report contains statistics collected in the course of work on the analysis of the security systems of RB, conducted by the specialists of the company Positive Technologies in 2015, as well as a comparison with the results of studies of past years.
Initial data
As part of the study, 20 RBS systems were considered, including several financial services developed in 1C, which are characterized by the same IS threats as for remote banking systems. The review includes only those RBS systems for which the most complete analysis was carried out taking into account the logic of their functioning. Most of the systems studied (75%) are designed to serve individuals. 35% of the systems are mobile solutions represented by the server and client side.
')
65% of systems are privately developed by banks. In most cases, the Java programming language was used, and only 8% of applications were written in 1C. The remaining systems are deployed on the basis of platforms of well-known vendors. In accordance with the policy of responsible disclosure, the names of manufacturers are not indicated in this report.
Most of the systems (75%) were in commercial operation and were accessible to customers, the rest were test benches ready for conversion into commercial operation. 57% of RBS systems provided by well-known vendors were in commercial operation.
Overall results
During the analysis of the security of the RBS systems, each application identified security flaws. A total of 171 vulnerabilities were identified. Most of them are characterized by a low degree of risk (39%). The overall share of high-risk vulnerabilities this year was 30%, about the same as the average (31%). Compared to the results of 2013–2014, the overall share of critically dangerous vulnerabilities decreased markedly (by 14%).
However, the level of protection of RBS systems as a whole remains at a rather low level: critically dangerous vulnerabilities are found in almost every online banking (90%), which is significantly worse than the level of 2013-2014.
Distribution of systems according to the maximum risk level of detected vulnerabilities
The most frequent (55%) in the RBS systems were vulnerabilities that allowed unauthorized access to user data. This category mainly includes authorization failures. In second place (50%) - “Insufficient session protection” (incorrect termination of user sessions, incorrect setting of cookie parameters, possibility of parallel work with several active sessions for one user, no session binding to client’s IP address).
Unlike in previous years, in 2015, two of the RBS systems investigated revealed a vulnerability due to the lack of current security updates (CVE-2015-1635). The vulnerability was caused by errors in the HTTP.sys component that implements the HTTP protocol stack and is susceptible to Windows-based OS (see Microsoft Security Bulletin MS15-034). The exploitation of the vulnerability is in the formation of a special HTTP-request and may lead to a denial of service to the system under attack or the execution of arbitrary code.
Rating of the most common vulnerabilities of RBS systems (proportion of vulnerable systems)
The study identified the most dangerous threats that could potentially be implemented in relation to RBS systems, taking into account the set of vulnerabilities identified during the analysis. Thus, in one of the RBS systems studied, the possibility of the user’s funds being stolen as a result of the exploitation of a combination of vulnerabilities of various categories (insufficient session protection and shortcomings of the implementation of two-factor authentication mechanisms) by an outsider was revealed.
The study revealed that in relation to 25% of the RBS systems studied, such threats as theft of funds by an authorized user can be realized. The intruder can use, in particular, attacks on rounding, unauthorized access to the operations of another user, and in some cases, the “Implementation of SQL statements”. As a result of such actions, banks may suffer substantial financial losses, as well as lose the reputation of a reliable partner.
In every second project (55%), the possibility of unauthorized access to the DBMS, in which personal data of users, payment card data, and financial information was stored, was revealed.
Realizable threats to information security of RBS systems
Systems for legal entities have become more vulnerable
All the RBS systems for legal entities studied were exposed to dangerous vulnerabilities, and among the systems for individuals such were 87%. At the same time, in 2015, in the RBS systems for legal entities, the number of medium-risk vulnerabilities per system increased several times. The level of protection of RBS systems for legal entities has significantly decreased, and for individuals it has remained at the same low level.
The average number of vulnerabilities of different levels of risk per system for individuals and legal entities
DBO from a known vendor does not guarantee protection
In systems acquired by banks from well-known vendors, the proportion of vulnerabilities associated with errors in the program code was higher than in the systems developed by banks (40% vs. 28%). At the same time, a higher percentage of configuration vulnerabilities were detected in proprietary systems (35% vs. 27%). In past years, such vulnerabilities among DBO vendors were half as much (14%).
Compared to previous years, the number of high-risk vulnerabilities in RBS systems provided by vendors has almost halved. However, all such products are subject to critically dangerous vulnerabilities.
In addition, the RBS systems supplied by specialized companies, on average, contain 1.5-2 times more vulnerabilities than their own systems. This is not surprising, since the own remote banking systems are designed for a specific architecture and have the functionality set by the bank, which makes them simpler and, as a result, less vulnerable. However, the transition from the systems of well-known vendors to their own development also does not guarantee that the system being created will be completely protected.
Distribution of vulnerabilities by degree of risk for systems provided by different categories of developers (share of the total number of vulnerabilities)
Systems in use remain vulnerable
The total number of vulnerabilities of various categories in productive systems in 2015 is noticeably lower than in test ones. This demonstrates the positive performance of banks in ensuring the protection of applications in operation. However, the level of protection of productive RB systems cannot be considered high: in almost all such systems, critical vulnerabilities have been identified. 40% of all vulnerabilities of RBS systems that are already in operation are critically dangerous. According to this indicator, they are even worse than the test ones.
Ratio of vulnerabilities of various levels of risk in test and productive systems (share of the total number of vulnerabilities)
Problems of protection mechanisms
The predictable format of identifiers is characteristic of all RBS systems, while only 60% of the systems have the opportunity to change such an identifier.
Two-factor authentication when logging into your personal account and conducting transactions can significantly reduce the risk of theft of funds from user accounts, but the share of RBS systems is still large, where such mechanisms are not provided at all (24%) or are implemented incorrectly (29%). Almost every second proprietary system (45%) is vulnerable, and even in the RBS systems provided by vendors there are such flaws (33%).
In addition, every third RB System (35%) does not provide sufficient protection for the session from being intercepted and subsequently used by the attacker.
Percentage of systems affected by authentication mechanism vulnerabilities (for various categories of developers)
Mobile RB System for iOS is slightly better
Mobile RBS systems running iOS still have a higher level of security compared to systems for Android, where 75% of the studied applications are subject to critical vulnerabilities. However, a third of the vulnerabilities found in iOS applications are characterized by a high degree of risk. These shortcomings are associated with the storage and transmission of important data in the clear.
Shares of client software of mobile systems of remote banking service exposed to vulnerabilities of various degrees of risk
Each Android-based application contains 3.8 vulnerabilities, which roughly corresponds to the level of 2013 and 2014 (3.7). For iOS applications, this parameter is 1.6, which is significantly better than the result of previous years, when each application had 2.3 vulnerabilities.
The most common mobile software client vulnerabilities
Despite the fact that the most common vulnerabilities of mobile RB systems are characterized by a medium degree of risk, in some cases the identified deficiencies in the aggregate made it possible to implement serious security threats. For example, an incorrect implementation of the short PIN entry mechanism together with the session identifier device storage in the file system allows an attacker with physical access to this device to substitute the web server’s response so that any attempt to enter the PIN incorrectly will return the server value true. As a result of a successful attack, an attacker can take complete control of the attacked user's personal account, including changing settings and performing transactions on his behalf. Also in one of the projects, the intruder could get access to the user's mobile banking due to insufficiently secure data transfer. In this case, the system allowed the use of self-signed certificates when transmitting information via the HTTPS protocol.
Conclusion
The level of protection of RBS systems remains low, despite the reduction in the total share of critical vulnerabilities among all the identified deficiencies compared with previous years.
The low security of remote banking systems in operation clearly demonstrates the need to implement security processes at all stages of the application life cycle. System security analysis should be carried out not only at the stages of application development and before putting the system into operation, but also during its active use by bank customers. Moreover, such an analysis should be carried out on a regular basis (for example, twice a year) with control to eliminate the identified deficiencies.
RBS systems purchased from vendors should be given special attention: they are often more susceptible to vulnerabilities than the systems developed by banks. In addition, it is recommended to use preventive protection tools, such as an application-level firewall.
To gain access to the user's personal account, it is sufficient for an offender to use long-known and common vulnerabilities (for example, insufficient session protection). It is necessary to pay special attention to the correct implementation of protection mechanisms. You should also implement secure development processes, ensure comprehensive testing of system security during acceptance of work. As a basis for the implementation of processes for ensuring information security of RBS systems at all stages of the life cycle, recommendations issued in 2014 by the Bank of Russia to the RS BR IBBSE-2.6-2014 can be used.
Given the high proportion of critical vulnerabilities at the code level of web applications, it is necessary to conduct regular checks of its quality, for example, by conducting a white box security analysis (including using automated tools).
Read the full text of the study at www.ptsecurity.ru/research/analytics
Source: https://habr.com/ru/post/307450/
All Articles