As the world becomes more digital, new opportunities and threats arise and we tend to focus more on our daily business. As a result, when we are trying to develop a new product, website or application, we use to prioritize speed, convenience and ease of implementation over security.
ElevenPaths has conducted an analysis of 56 of the world’s leading banks. This analysis is based on public archives, web applications and mobile applications from these banks and addresses three key aspects of cybersecurity:
- Integrated security in mobile applications.
- Metadata available in public documents.
- The information we can obtain about service communications and their quality (i.e. open ports on servers, their vulnerabilities, etc.).
- FOCA OpenSource, a self-developed tool (free and Open Source) obtaining documents through search engines, downloading them, extracting and analyzing the metadata.
- Tacyt and mASAPP, another two self-developed tools allowing the visualization of the information from the mobile apps in official and unofficial markets, as well as finding vulnerabilities in the mentioned mobile applications. mASAPP also rates each application using a proprietary scoring system to rank apps from most to least secure. The higher the mASAPP score is, the worse the security of that application is considered.
- Censys, a public OSINT search tool for servers and devices exposed to the Internet. It also allows to find specific hosts and services associated with each bank’s domains and see how the websites and their certificates are configured.
mASAPP- Overall risk score per region
Regarding mobile applications:
- All the banks analyzed had vulnerabilities in their official applications, caused mainly by failures in the quality of the code. The most common vulnerability was potential SQL injection.
- Banks in Asia, Africa and Latin America had the worst results.
- We compared what permissions each banking application requested. Despite being in the same industry and providing the same type of service, only one permission was common to all of them: Internet Access.
- The Middle East was the region with the lowest average number of requested permissions, while Asia was the one with the highest number of requested permissions per application.
- Intrusive permissions such as access to phone contacts, making calls without user confirmation, reading and writing SMS or reading and writing system settings were present in several analyzed applications.
- Some African banks have never had a mobile application.
- We detected hundreds of administrator accounts and several generic accounts with administrator characteristics.
- Based on the metadata of the detected files, it is possible that many banks still use operating systems currently not supported by their manufacturers.
- The analysis of public files has allowed us to obtain the physical location and names of various servers and printers. Companies should hide this kind of information because of the possible uses a malicious actor can make of it if it wants to harm the company.
Regarding servers, hosts and communications:
- Although almost all hosts use HTTPS, there is still a large number of HTTP services, which is considered an unsafe protocol. .
- Half of the banks use Akamai. Traffic mainly passes through North American servers.
- Banks that do not use Akamai tend to host their services locally. The only exception is Asia, where banks that do not work with Akamai also have their servers in the United States.
- None of the banks analyzed in Africa uses Akamai. This is one of the regions with most local hosts.
- Africa is the region where most of its services are hosted locally, followed by the Middle East.
- The most popular service when Akamai is not involved is FTP, followed by SMTP and different types of databases.
- Services are hosted mostly in North America. Europe seems to be the second best option, but with a big difference from North America.
Pablo Moreno González
Sebastian García de Saint-Léger
Helene Aguirre Mindeguia