Why financial firms should pay particular attention to their client-side web assets


By Ivan Tsarynny

The banking industry was dubbed the “most breached sector” by Forbes in 2019. At the time, it accounted for 35 percent of all data breaches. Fast forward to just three years later, it is clear that banks and other financial services firms remain prime targets for malicious actors. They are among the ripest industries for people seeking to take advantage of the fact that customers enter ultra-sensitive (and valuable) data into JavaScript-based online forms and other tools housed in the front end or “client-side.”

Online banking has experienced a tremendous shift in the past two years. Banking websites rely heavily on scripts to gather sensitive information and are held to high standards in regard to online compliance. The need to improve security in the financial sector has never been greater, especially from the client-side.

The Types of Client-Side Attacks Threatening the Financial Services Sector

Online banking has never been more accessible but has a few drawbacks for digital security. The client side is especially susceptible to cyberattacks. Account takeover occurs when threat actors achieve access to user credentials for financial gain. Cross-Site Scripting (XSS) is an attack involving injecting malicious code onto client-facing websites. E-skimming involves stealing credit card information or other sensitive data through exploiting code flaws. Formjacking is a type of e-skimming that collects valuable data through malicious code. JavaScript injection attacks occur by injecting malicious code to control the website.

To properly guard their websites and web applications from client-side attacks, the industry’s cybersecurity professionals have little choice but to give more and more attention to what’s happening on their organization’s “surface” to avoid client-side breaches.

What Other Types of Tools Support Client-Side Security?

There are additional client-side security tools available to organizations, none of which, unfortunately, protect the entire client-side surface. Web Application Firewalls (WAFs) scan and protect against some types of skimming attacks. However, WAFs do not protect the browser-level user interface itself and are not able to detect and protect businesses from sophisticated skimming malware, drive-by skimming, supply chain attacks, or sideloading.

Content Security Policies (CSPs) can detect attacks such as cross-site scripting (XSS), but they are not easy to add to an existing website due to their complexity and the extent to which they can conflict and affect website functionality. Penetration testing, vulnerability assessment and security assessment are uncommon for client-side security threats at this point in time. Pen testing and assessments are also a snapshot in time, which means hackers have the ability to execute attacks between quarterly or annual assessments. And if hackers discover new vulnerabilities, then it is likely that they will target those vulnerabilities before a pen test has been completed. Pen testing and assessments are a key part of the security process, but organizations still remain exposed to threats, even after tests are completed. Unfortunately, threat actors are much more nimble than most companies.

Vulnerability scanning tools are designed to scan back-end code and systems, typically those digital assets that live on the server side. They will not be capable of detecting and calculating all JavaScript scripts and vulnerabilities. Vulnerability scanners can only see the client-side after it’s been assembled together, not in real time. Vulnerability scanning tools see only one site or domain, not all of the links that are part of it.

Code obfuscation (or scrambling) makes it difficult for cybercriminals to interpret code, but free online de-obfuscation tools can enable threat actors to reverse engineer the original code. Code obfuscators can also be problematic in that sometimes it is difficult to unscramble the code when necessary. Implementing an approach that prioritizes client-side attack surface monitoring provides organizations with a strategic advantage to detect and prevent cyber threats.

What Is Client-Side Attack Surface Monitoring?

Client-side attack surface monitoring automates the process of logging an organization’s web assets. It then provides IT personnel with a list of the data each asset is accessing, offering specific remediation advice to security teams in real time.

Client-side security technologies replicate actual user behavior on a webpage, including the ability to execute custom user journey scenarios. By employing “synthetic users,” disguised as honeypot customers, client-side attack surface monitoring solutions autonomously simulate real user behavior. A client-side attack surface monitoring tool automatically maps and monitors the client-side attack surface, detects and outlines abnormal application behaviors then informs security teams of their client-side attack surface and will alert application developers to code issues to fix in real time. This approach provides security against customer data exfiltration.

By revealing previously undetected or net new threats, and delivering mitigation advice, client-side surface monitoring allows companies to close security gaps in their client-side JavaScript web applications.

The Benefits of Client-Side Attack Surface Monitoring for Financial Firms

The benefits of client-side attack surface monitoring for financial firms are numerous—it’s not just limited to evaluating web applications. It also has the capability of providing financial institutions with synthesized intelligence through post-scanning. Additionally, IT personnel can analyze the data gathered by synthetic users and gain important threat intelligence that security teams can respond to rapidly, if needed. These synthetic users are adaptable and have the ability to learn as they go, identifying and classifying information to discover client-side issues that would be left undetected otherwise.

Client-side attack surface monitoring solutions are simple to implement and maintain on active websites with no major modifications needed and are more effective than the other approaches mentioned. This approach does involve interaction between the financial institution’s development and cybersecurity teams. Both teams need to be well versed on client-side application structures in order to ensure the website is properly secured. But by working together, security and development teams can ensure client-side security with ease.

The best defense for web applications and websites is awareness. By employing some or all of the aforementioned approaches, IT personnel will always know the web assets they own and the data that is stored. And more importantly, they’ll be more confident of how those assets function and how users interact with them. It’s security from the outside-in, giving web assets the attention they deserve so that they don’t transform from a business enabler into a formidable threat.

Ivan Tsarynny is CEO and co-founder of Feroot Security.