Basel ICT Risk Guide: Securing websites and web applications is now paramount

By Uriel Maimon

On June 30, the Basel Committee on Banking Supervision published two crucial new documents on operational risk: “Principles of sound operational risk management” and “Operational risk – Supervisory guidelines for advanced measurement approaches.” These documents are general documents, but have been specifically focused on cybersecurity, information and communications technology, or ICT, risk and resilience strategies and safer operations. The documents recommend pushing the responsibility for the application of these principles up to the level of the bank’s board of directors.

More importantly, the documents set a significantly higher standard for continued cybersecurity and resilience in the face of what are now persistent attacks. Although not binding when issued, the Basel Committee guidelines are crucial for banks as they inform auditing procedures and best practices and eventually find their way into regulations in one form or another. national financial authorities that make up the Basel Committee.

The Basel ICT Risk Guidelines provide a good opportunity to reflect on the current state of cybercrime and fraud risks. The guidance builds on a framework of existing regulations to establish international best practice. In the United States, financial services organizations are already subject to guidelines and regulations such as PCI DSS, FFIEC, UCC 4(a) and other regulations from the Office of the Comptroller of the Currency, the Securities and Exchange Commission and Financial Crimes Enforcement Network. Even as more and more regulations are put in place, the volume and severity of attacks against banks continue to increase. One reason for this is that front-end web applications have sometimes been overlooked in terms of security checks; more attention is paid to controls on the movement of money. This has made the front-end the soft underbelly of many banks.

This is a major oversight: in the wake of the COVID-19 pandemic, web applications and online access have become the primary means of interaction between banks and their customers. According to a study by BAI, 52% of people have increased their use of digital banking services during the pandemic. This rate climbs to 70% for millennials. Banks that want to retain customer trust and maintain more legally defensible risk postures need to consider how they need to modify their operations and security solutions to better comply with new Basel Committee guidelines. This will mean applying stronger security measures and adopting technologies that proactively identify and mitigate automated fraud and supply chain attacks against web applications and websites.

Rising cyber risk demands tougher standards

These actions taken by the Basel Committee were likely in response to the growing volume and sophistication of cyberattacks against the apps and websites of major banks and financial institutions. Accenture and the Ponemon Institute put the annual damages and costs to each bank from cyberattacks at $18.3 million in the report.”Unlocking the value of better cybersecurity protection.” In research by security firm VMWare Carbon Black, CISOs of major financial institutions report that “…80% of financial institutions surveyed reported an increase in cyberattacks in the past 12 months, an increase of 13% from 2019 “. According to the report, 33% of banks have been targeted by supply chain attacks where partners or technology providers have been compromised as a means of accessing banks’ systems under the guise of trusted intermediaries.

One of the biggest threats facing banks and financial institutions is account takeover through credential stuffing. According to “Trusted Identity Statusby identity management provider Auth0, approximately 16% of all login attempts in a three-month period in 2020 were credential stuffing attempts. This includes a number of serious attacks on major financial institutions. The severity and frequency of credential stuffing attacks have caused both the FBI and the SECOND to issue stern warnings about this common form of account takeover. According to the FBI bulletin, credential stuffing attacks accounted for 41% of all attacks on banks between 2017 and 2019, affecting more than 50,000 accounts in the United States alone. Many of these attacks targeted banking application programming interfaces, where multi-factor authentication is not required to access sensitive account information, the FBI noted.

As Web Application Usage Grows, Attacks Follow

The data cited by the FBI is probably a gross understatement. The past year has seen an unprecedented increase in the use of online and mobile banking services. According to research according to industry group BAI, more than half of consumers have started using digital services more during the pandemic and 87% plan to continue this higher volume of use. Naturally, attackers tracked traffic and money. The CarbonBlack report found a 238% increase in attacks against financial institutions in the first three months of the COVID pandemic.

API abuse for account takeovers is a growing problem

To work effectively with third-party services and make their own applications more efficient, all banks are increasingly relying on APIs to connect, share data and improve functionality. In its warning, the FBI cited API attacks on banks as a growing concern, acknowledging that attackers have gotten smarter and recognizing that APIs tend to be lightly defended. API attacks are also harder to filter and distinguish than attacks on actual websites where actions such as page navigation can often provide telltale clues that a visitor is in fact a malicious bot. Implementing multi-factor authentication to protect APIs is impossible because API communications are machine-to-machine and have no mechanism for out-of-band challenges like texting an authentication code or requesting a code from an authenticator application.

Banking applications increasingly made up of third-party code

Like most online businesses today, banks are building web applications that are made up of more and more code that they don’t control. This “ghost code” poses a risk because often the external code and scripts included in an application are not properly reviewed for security risks or sufficiently monitored. In fact, ghost code can be one of the biggest risks facing banks today as their application teams rapidly evolve to include new functionality. Typically, however, processes for reviewing code and securing third-party code running on the front-end of websites and inside mobile apps lag far behind those of natively written software and services that run on the bank’s web server. Vulnerable third-party code has become a favorite attack vector for Magecart and digital skimming attacks that harvest sensitive customer information to fuel more lucrative fraud, social engineering or automated attacks, and through them, account takeovers.

To meet the new guidelines, banks must focus on their front-end

The new Basel Committee guidelines clearly require banks to have documented ICT policies covering cybersecurity, including details of security architecture and design, policies and controls. The committee’s guidelines recommend a number of steps, including strong mandates around incident response plans, security layers and policies, and detailed accountability and oversight of security efforts.

The guidance also calls for increased efforts to identify likely points of failure and shore them up with better resilience and security. All of these recommendations are common sense and formalize expectations of what banks should do to maintain strong cybersecurity. In fact, to comply with the Basel Committee guidelines, banks will need to improve the protection of their most targeted but also increasingly critical digital assets: the front-end of applications and exposed APIs. By devoting resources to better securing front-ends and APIs, banks will go a long way toward meeting the new guidelines while simultaneously protecting customers, partners, and the bank against some of the most dangerous and fastest-growing types of attacks. fastest in the world today.

Uriel Maimon is Senior Director of Emerging Technologies at PerimeterXa provider of solutions that protect modern web applications at scale.