The Weak Link is Third-party Scripts
Large US banks allow their customers to log into their online banking services straight from the main page. This improves customer experience because they are not required to click and navigate to a separate login screen hosted elsewhere.
Unfortunately, third-parties, in general are granted full control over the customers’ online banking sessions. As banks include third-party controlled code on the login screens, it undermines the security of the online banking service.
As a consequence, malicious code from a third-party service can remain persistent throughout the session, and manipulate the full interaction between the bank and the customer.
Standard bank security solutions do not remediate the situation. Two-factor authentication, text message confirmation and other techniques are ineffective because third-parties are granted access to the DOM of the visitors’ browser.
To make this worse, this type of attack cannot be detected on the server side, as everything happens on the client side.
Third-party Trust Issues
Normally, they would not, of course. But what happens when a third-party gets compromised? A potential attacker may find infiltrating a third-party much easier, than the bank itself. In other words, the bank may have maximum security while the third-party leaves a backdoor open.
For instance, BB&T Bank utilises a service from Silverpop for marketing automation on their website. This particular third-party was hacked a few years back, which could have allowed the attackers to get to the bank as well.
Major US Banks are Affected
The following image shows the number of external assets included on online banking login screens of popular banks in the States.
Now let’s group the banks by third-parties:
As the table shows, the marketing tool from Ensighten alone powers four big financial institutions. In other words, a hacker can compromise four banks by hacking just one third-party service.
Protect Online Banking
There are two possible solutions to remediate the problem:
One is moving online banking login screen onto dedicated web pages. These pages shall not include scripts or other assets from any third-party.
The other is adding subresource integrity (SRI) protection to third-party assets. In this case, the bank assumes the third-party is trusted. However, SRI protects the site’s visitors from unexpected asset changes in case the third-party gets compromised in the future.
The solution is either moving online banking login screens to dedicated web pages without any third-party asset included. The second option is using subresource integrity (SRI), which can protect the integrity of third-party assets.
Update (18/02/2016): Coverage on Softpedia
Update (20/02/2016): Coverage on Liquidmatrix Security Digest Podcast