The pandemic has turbocharged digital adoption across every industry, product and demographic segment. Commercial and retail banks have now embraced a fully virtual model, many within a matter of days, demonstrating agility and resilience. This accelerated digital transformation is here to stay as customer expectations rise and banks realize higher revenue growth and retention rate through digital offerings. Growth will come by innovating highly engaging, hyper-personalized digital services. New platforms, products, geographic regions, applications and web capabilities will be added. As banks engage customers in new and differentiated ways, the use of customer data, analytics and third-party services will play an increasingly crucial role; as will dependency on open-source software and tooling.
This evolving business and technology landscape brings with it an evolving threat landscape. As a financial institution’s cybersecurity considerations multiply considerably, the average cost of a data breach is fast approaching $6 million. The stakes have never been higher for digital banking security, IT and development teams.
of online banking sites may be vulnerable to web skimming based on a non-intrusive web skimming simulation analysis
of the data breach attacks within financial services in 2020 involved personal data
of the data breach incidents within financial services in 2020 were financially motivated
Evolving online banking attack surface – extends from server to client
A recent 2021 study performed by Ensighten showed that nine in ten (87%) online banks may be vulnerable to client-side theft of sensitive customer data.
Digital banking impact
Financial institutions experience 2x faster revenue growth and 35% lower customer attrition according to Finserv
Data breach costs for banks
The average cost of a data breach for financial institutions is $6 million according to a Ponemon 2020 study
Client-side data breach and compliance risks
One of every two data breaches is the result of hackers according to a Ponemon 2020 study. With the web browser now a highly targeted attack surface, banks are extending their server-centric security perimeter to the web browser to address several client-side vulnerabilities:
This vulnerability involves arbitrary (i.e. malicious) CSS code being injected into a bank’s website at runtime. Compromised CSS code can extract sensitive data.
Formjacking mimics real world card skimming. Malicious formjacking code secretly captures data as your customer submits it in an online form. The data is then transmitted to a criminal destination. Kaspersky detected 510,000 unique web skimmers used across industries in 2019 and a 187% year-over-year growth in web skimming attacks.
Unauthorized transmission of data to an external recipient or destination, authorized or unauthorized, and happening either accidentally or with malicious intent.
Keyloggers are a type of monitoring software designed to record keystrokes made by a user. Keystroke loggers record the information your customer types into your website and send it to hacker sites.
Tags are used to facilitate the collection and sharing of data between a bank’s website and third-party technologies. Tag code, delivered at runtime, instructs the browser to send data to third parties and allows third parties access to data collected on the site. This risk is further compounded when third parties include tags for their partners (piggybacking).
The hacker first finds a way to infect the customer’s device. Once infected, the malware installs itself on the browser without the customer’s knowledge. The malware records data sent between the customer and the online bank and transmits it to a criminal site.