Banking Blog

Finance Blogs » Banking Blog » Banks’ Web security full of holes?

Banks’ Web security full of holes?

By Allison Ross ·
Friday, July 25, 2014
Posted: 1 am ET

© Claudio Baldini/Shutterstock.comThat little lock icon on your bank's website may be easy for hackers to pick, according to two recent reports.

But while consumers should keep a close eye on transactions and account balances to watch for fraud, at least one fraud expert says there's no need to panic about online banking.

Swiss cheese

This week, Trend Micro released a report warning about an attack it dubbed "Operation Emmental" because it says banks' security is full of holes. (Swiss cheese is also known as Emmental, in case you didn't get the reference.)

Trend Micro said it discovered that cybercrooks were using a technique to bypass banks' two-factor security identifications. It said it found the operation had attacked six bank domains in Austria, seven in Sweden, 16 in Switzerland and five in Japan.

The Emmental cyberattack begins with phishing emails to consumers. The emails are meant to look like emails from major retailers, with receipts attached. When a consumer opens the attachment, malware is downloaded on the computer. When consumers later try to log on to online banking, the cyberattackers are in control. Through more convoluted moves, the cyberattackers get consumers' passwords and are able to bypass two-factor authentication via text message.

"Like Swiss Emmental cheese, online banking protections may be full of holes," the report states.

Julie Conroy, a research director with Aite Group who covers banking and fraud, says the vulnerability being exploited by Operation Emmental is not a new one, although this attack may be a bit more complex than some others.

Conroy says that banks are wising up to this vulnerability and a greater number are taking steps to bypass text messaging in authenticating passwords.


Meanwhile, a report from financial software company Sycorr found that 97.7 percent of banks and credit unions do not have protection against something called "clickjacking."

Basically, clickjacking is where an attacker tricks a user into clicking on a button he or she think is on the bank's website but is actually a transparent or opaque layer of another page on top of the banking page.

That means users may think they are entering their passwords on the banking site but are actually entering them into another website that's been layered atop the banking site.


Bottom line: It's not a good thing for banks or consumers trying to protect their money.

Sycorr says clickjacking can be prevented with a simple line of code. It says some companies include that code, but that many other banking sites do not.

Conroy agrees, saying the largest banks in the U.S. do have the ability to prevent clickjacking.

"This is something that smaller (financial institutions) should shore up," Conroy says, but adds that banks don't really see a lot of fraud occurring through clickjacking, especially since other forms of attack are more lucrative to fraudsters.

Stay vigilant

While the attackers are continually getting more sophisticated, consumers can help protect themselves by staying vigilant.

Bankrate has five rules to help consumer protect their online bank accounts.

Follow me on twitter: @allisonsross.

Bankrate wants to hear from you and encourages comments. We ask that you stay on topic, respect other people's opinions, and avoid profanity, offensive statements, and illegal content. Please keep in mind that we reserve the right to (but are not obligated to) edit or delete your comments. Please avoid posting private or confidential information, and also keep in mind that anything you post may be disclosed, published, transmitted or reused.

By submitting a post, you agree to be bound by Bankrate's terms of use. Please refer to Bankrate's privacy policy for more information regarding Bankrate's privacy practices.