Basel ICT Risk Guidance: Securing Websites and Web Applications Is Now Paramount

By Uriel Maimon

On June 30, the Basel Committee on Banking Supervision issued two crucial new papers on operational risk: “Principles for the Sound Management of Operational Risk” and “Operational Risk – Supervisory Guidelines for the Advanced Measurement Approaches.” These papers are broad documents but were focused specifically to cover cybersecurity, information and communications technology, or ICT, risk and strategies for resilience and more secure operations. The papers recommend pushing responsibility for application of these principles all the way up to the board level at banks.

Most importantly, the documents set forth a significantly higher standard for ongoing cybersecurity and resilience in the face of what are now persistent attacks. While it’s not binding when issued, Basel Committee guidance is crucial to banks because it informs audit procedures and best practices and eventually makes its way in some form into the regulations of the national financial authorities who make up the Basel Committee.

The Basel ICT risk guidance provides a good opportunity to reflect on the current status of cybercrime and fraud risk. The guidance builds on top of a framework of existing regulations to establish international best practices. In the United States, financial services organizations are already obligated by directives and regulation such as PCI DSS, FFIEC, UCC 4(a) and other regulations from the Office of the Comptroller of the Currency, the Securities and Exchange Commission and the Financial Crimes Enforcement Network. Even as more and more regulations have come into place, the volume and severity of attacks on banks continues to increase. One of the reasons for this is that front-end web applications have been sometimes neglected in terms of security controls; more focus is applied to controls around money movement. This has made the front end the soft underbelly of many banks.

This is a major oversight: In the wake of the COVID-19 pandemic, web applications and online access have become the dominant medium of interaction between banks and their customers. According to research by BAI, 52 percent of people have increased their use of digital banking services during the pandemic. That rate jumps to 70 percent for millennials. Banks that want to maintain the confidence of customers and maintain more legally defensible risk postures need to think about how they must change their security operations and solutions to better adhere to the new guidelines from the Basel Committee. This will mean enforcing more stringent security measures and embracing technologies that proactively identify and mitigate automated fraud and supply chain attacks against web applications and websites.

Increasing cyber risk forcing stricter standards

These moves by the Basel Committee were likely in response to the growing volume and sophistication of cyber attacks against applications and websites of major banks and financial institutions. Accenture and the Ponemon Institute pegged annual damages and costs suffered by each bank from cyberattacks at $18.3 million in the report “Unlocking the Value of Improved Cybersecurity Protection.” In research by security company VMWare Carbon Black, CISOs at leading financial institutions report that “… 80 percent of surveyed financial institutions reported an increase in cyberattacks over the past 12 months, a 13 percent increase over 2019.” According to the report, 33 percent of banks were targeted with supply chain attacks where partners or technology suppliers were compromised as a means to access the banks’ systems under the guise of trusted intermediaries.

One of the largest threats banks and financial institutions face is account takeover through credential stuffing. According to the “State of Secure Identity” by identity management provider Auth0, roughly 16 percent of all login attempts during a three-month period in 2020 were credential-stuffing attempts. This includes a number of severe attacks against major financial institutions. The severity and frequency of the credential-stuffing attacks caused both the FBI and the SEC to issue stark warnings about this common form of account takeovers. According to the FBI bulletin, credential stuffing attacks represent 41 percent of all attacks against banks between 2017 and 2019, affecting over 50,000 accounts in the U.S. alone. Many of these attacks were against bank application programming interfaces, where multi-factor authentication is not required to access sensitive account information, the FBI noted.

As web application usage soared, attacks followed

The data cited by the FBI is likely a vast understatement. The past year has seen an unprecedented increase in usage of online and mobile banking. According to research by the industry group BAI, more than half of consumers started using digital services more during the pandemic and 87 percent plan to continue this higher volume of usage. Naturally, attackers have followed the traffic and the money. The CarbonBlack report found a 238 percent increase in attacks against financial institutions during the first three months of the COVID pandemic.

API abuse for account takeovers is a growing problem

To work effectively with third-party services and to make their own applications more efficient, all banks increasingly rely on APIs to connect, share data and enhance functionality. In its warning, the FBI cited API attacks on banks as a growing concern, recognizing that the attackers have gotten smarter and have recognized that APIs tend to be lightly defended. Attacks on APIs are also harder to filter and distinguish than attacks on actual websites where actions such as navigating pages can often provide telltale clues that a visitor is actually a malicious bot. Putting multi-factor authentication in place to protect APIs is impossible because API communications are machine-to-machine and have no mechanism for out-of-band challenges like sending an authentication code via SMS or requesting a code from an authenticator app.

Bank applications increasingly composed of third-party code

Like most online businesses today, banks are building web applications made up increasingly out of code they do not control. This “shadow code” presents a risk since oftentimes external code and scripts included in an application are not properly reviewed for security exposures or monitored sufficiently. In fact, shadow code may be among the biggest risks facing banks today because their applications teams are moving quickly to include new functionality. Typically, though, the processes for code review and securing third-party code running on the front-end of websites and inside of mobile applications is far behind those of natively written software and services that run on the bank’s web server. Vulnerable third-party code has become a favorite attack vector for Magecart and digital skimming attacks that harvest sensitive customer information to fuel more lucrative, social-engineering or automated fraud attacks—and through them, account takeovers.

To fulfill the new guidance, banks need to focus on their front end

The Basel Committee’s new guidance clearly calls for banks having documented ICT policies covering cybersecurity, including details of security architecture and design, policies and controls. The committee’s guidance recommends a number of steps including strong mandates around incident response plans, security layers and policies, and detailed accountability and monitoring of security efforts.

The guidance also calls for redoubling efforts to identify likely points of failure and shore those up with better resilience and security. All of these recommendations make good sense and formalize expectations around what banks should be doing to maintain strong cybersecurity. In reality, to fulfill Basel Committee guidance, banks will need to improve protection of their most highly targeted but also increasingly critical digital assets—the front end of applications and exposed APIs. By dedicating resources to better securing front ends and APIs, banks will go a long way toward fulfilling the new guidelines while simultaneously protecting customers, partners and the bank from some of the fastest growing and most dangerous attack types in the world today.

Uriel Maimon is senior director of emerging technologies at PerimeterX, a provider of solutions that protect modern web apps at scale.