Bank Security Lax As Leaky Websites Aid Hackers

Thomas Brewster,
Fotolia: Piggy bank with letters spelling oops - investing your savings © Karen Roach #9936465

Banks are handing over loads of useful data to hackers, a KPMG study finds

The financial industry is the most careless of all sectors, with slack bank security leaving potentially useful data open to cyber criminals, a study has shown.

KPMG looked across websites belonging to the Forbes 2000, an annual ranking of the top 2000 public companies in the world. It performed the same initial reconnaissance steps that cyber attackers and organised criminals would perform when planning a hit on a target organisation, looking out for useful information.

Bank security scare

Hackers often use such data for spear phishing attacks, sending employees emails, which look legitimate but actually contain links to malware executables.

From that reconnaissance process, it emerged banks were responsible for leaking 30 percent of all the data KPMG believed could be used by attackers. That was far ahead of the diversified financial services market in second, which left 12 percent of risky data open to hackers.

KPMG found 130 potentially sensitive file locations, where information is supposed to be hidden, were discovered on banking sites. It also found 800 potential vulnerabilities affecting banking web servers.

Many banking IT systems are thought to be rife with complexity and old software, as was highlighted when a glitch hit RBS, leaving many of its own customers and NatWest bankers without their money.

Everyone is flawed

Yet there were many security failings across sectors. Almost three-quarters of all Forbes 2000 firms might be using vulnerable and out of date versions of Adobe and Microsoft software. Overall 16 percent of Forbes 2000 corporate web servers may be vulnerable to attack due to missing security patches or outdated server software.

“The world of cyber security has been tilted on its axis over the past two years- from the actions of hacktivists and associated groups – through to state sponsored agencies with seemingly unlimited resources,” said Martin Jordan, director of information protection at KPMG.

“Attackers are aiming for an increased competitive edge or to gain better access to greater intellectual property – whatever their level of sophistication. While it’s difficult to stop these groups, companies can, at the very least, deny them ‘open all areas’ access to their secrets which unwittingly, they may have laid bare.”

Are you a security pro? Try our quiz!