Online Banking Transformation and Expanding Cybersecurity Considerations

The pandemic has turbocharged digital adoption across every industry, product and demographic segment. Commercial and retail banks have now embraced a fully virtual model, many within a matter of days, demonstrating agility and resilience. This accelerated digital transformation is here to stay as customer expectations rise and banks realize higher revenue growth and retention rate through digital offerings. Growth will come by innovating highly engaging, hyper-personalized digital services. New platforms, products, geographic regions, applications and web capabilities will be added. As banks engage customers in new and differentiated ways, the use of customer data, analytics and third-party services will play an increasingly crucial role; as will dependency on open-source software and tooling.

This evolving business and technology landscape brings with it an evolving threat landscape. As a financial institution’s cybersecurity considerations multiply considerably, the average cost of a data breach is fast approaching $6 million. The stakes have never been higher for digital banking security, IT and development teams.

View and download case study

Download now


of online banking sites may be vulnerable to web skimming based on a non-intrusive web skimming simulation analysis


of the data breach attacks within financial services in 2020 involved personal data


of the data breach incidents within financial services in 2020 were financially motivated

Evolving online banking attack surface – extends from server to client

A recent 2021 study performed by Ensighten showed that nine in ten (87%) online banks may be vulnerable to client-side theft of sensitive customer data.

The online banking attack surface is vast and changing rapidly, from infrastructure to apps and cloud to endpoints. The emergence of Magecart, a consortium of malicious hacker groups, has introduced a new hard-to-defend attack surface residing within third-party technologies and web pages. Banking websites frequently incorporate JavaScript code from open source and third-party web partners (web supply chain) for data analytics, payment, chat and other experience-enhancing services.

Magecart popularized an elusive technique that infects a bank’s web supply chain via JavaScript injection, which in turn corrupts the banking site and allows theft of customer data. These emerging client-side techniques are favored by hackers because they circumvent a bank’s server-centric security model. Banks are responding, however, by expanding their defense perimeter to encompass client-side web attack surfaces.

Digital banking impact

Financial institutions experience 2x faster revenue growth and 35% lower customer attrition according to Finserv

Data breach costs for banks

The average cost of a data breach for financial institutions is $6 million according to a Ponemon 2020 study

Client-side data breach and compliance risks

One of every two data breaches is the result of hackers according to a Ponemon 2020 study. With the web browser now a highly targeted attack surface, banks are extending their server-centric security perimeter to the web browser to address several client-side vulnerabilities:

CSS injection

This vulnerability involves arbitrary (i.e. malicious) CSS code being injected into a bank’s website at runtime. Compromised CSS code can extract sensitive data.

Formjacking/web skimming

Formjacking mimics real world card skimming. Malicious formjacking code secretly captures data as your customer submits it in an online form. The data is then transmitted to a criminal destination. Kaspersky detected 510,000 unique web skimmers used across industries in 2019 and a 187% year-over-year growth in web skimming attacks.

Data leakage

Unauthorized transmission of data to an external recipient or destination, authorized or unauthorized, and happening either accidentally or with malicious intent.


Keyloggers are a type of monitoring software designed to record keystrokes made by a user. Keystroke loggers record the information your customer types into your website and send it to hacker sites.

JavaScript injection

Banking websites utilize a heavy amount of JavaScript. JavaScript, first party and partner, makes user experiences dynamic. Because this code has access to data shared during an online banking session, Hackers look for ways to covertly inject malicious code to steal data.

HTML tags

Tags are used to facilitate the collection and sharing of data between a bank’s website and third-party technologies. Tag code, delivered at runtime, instructs the browser to send data to third parties and allows third parties access to data collected on the site. This risk is further compounded when third parties include tags for their partners (piggybacking).

Man-in-the-Browser (MitB)

The hacker first finds a way to infect the customer’s device. Once infected, the malware installs itself on the browser without the customer’s knowledge. The malware records data sent between the customer and the online bank and transmits it to a criminal site.

JavaScript injection via third parties/ Magecart attacks

Hackers infect a bank’s web supply chain via JavaScript injection to covertly penetrate the online banking experience and steal information. Third-party services enhance the customer experience by adding features such as chat, payment and analytics. The underlying JavaScript code originates from third parties or, worse, their extended ecosystem and loads at runtime, making it hard for banks to examine and validate.

Learn more about Ensighten and our solution

Third-party JavaScript blog
Learn more about the risk of third-party JavaScript components and how to ensure protection against PII leakage
Read now
Web-based attacks guide
Learn more about website attacks and how the most common methods for exposing data are often overlooked
Read now
Online demo
See the Ensighten solution in action to learn how we can help ensure client-side web security
Book now