Cybersecurity firm Positive Technologies created a crude AI program to put the security of a number of banks’ web apps and websites to the test, and found that almost all of them can fall prey to some fairly simple vulnerabilities, leaving the portal to customers’ account information quite insecure. Across the tested set of vulnerabilities, the entire test set was found to be at risk. No one exploit or vulnerability worked across all of the tested sites and apps, but the overlap in some cases was overwhelming. Cross-site scripting or XSS attacks, for example, could affect 80-percent of all tested sites and apps in the survey set. It is worth noting that Positive Technologies did not name the banks that it tested.
The AI program made by Positive Technologies was not particularly smart; it was made to simply run preset vulnerability tests on banks’ web presences, then gather as much data as possible on how the exploit impacted the system and what data could be accessed. Many of the key types of attacks that banks tested were found vulnerable to had one of two common threads; they could be used to compromise entire servers and harvest raw data, hopefully encrypted, for later use, or they could modify a site to pass users’ information on to attackers. In short, this means that the tested banks could fall victim to a massive data breach at just about any time, should an enterprising hacker find a creative use for the data that would be gleaned. These banks’ online presences could also, at any time, be surreptitiously hijacked to pass user information on to attackers without the users’ or the banks’ knowledge.
Cybersecurity as it pertains to banks, government entities, and other mission-critical use cases is always improving. Even so, basic and old vulnerabilities can stick around for a long time due to how difficult it would be to roll out systemwide fixes for them without potentially compromising or destroying sensitive data, and that seems to be the case with the tested banks in this data set. In the end, all consumers can do in this case is watch their accounts for suspicious activity, and employ a high degree of vigilance when banking online.
