Many US Banks Failed Web Security Testing

Web security Reading Time: 3 minutes

An anonymous audit on web security in US banks conducted by the Online Trust Alliance (OTA) – a non-profit organization, has revealed that 65% of large banks have poor web security and they even failed the testing.

web security testing

Many banks have received a bad ranking for security and privacy. Their overall score was disappointingly low.

The OTA recognizes robust web security grades with an Honor Roll award. In this year’s survey, however, US banks saw a significant decline in the Honor Roll list. From 55 percent in 2016, it dropped to 27 percent, they also had the most failing grades among all industries.

The basic criteria to receive an Honor Roll award is that a firm must achieve a minimum score of 80% in the following:

consumer protection
consumer security
consumer privacy protection practices

The anonymous survey was conducted on 1000 websites where 52% qualified for the Honor Roll. Alarmingly, only 27% of the 100 largest banks in the US made the grade. Though the banking industry has made significant improvements towards more secure measures after facing a brunt of data breaches, email authentication, and privacy issues – the percentage of banks achieving the grade has fallen. Overall large banks had moderately good website security with 17% failures but fared worse with 45% failure in email security and 34% failure in privacy. In the case of breaches, only 2% of the large bank websites have an easy to discover reporting mechanism.

The American Bankers Association (ABA) has disputed the survey results on the percentage of banks that had suffered a breach.

SSL/TLS Scores

It is quite shocking that among all industries, banks received the lowest score in SSL security. The low score was attributed to the use of outdated, weak and insecure protocols and cipher suites, and incomplete certificate chains. It was found that RC4 and 64-bit block cipher with modern protocols were still being used.

Importance of Data

“Data is the ‘oil’ of the Internet – it is fueling innovation and revenue, yet if abused, there is a risk of a negative impact to society,” said Craig Spiezle, Founder and Chairman Emeritus of OTA. “The Audit underscores the urgency to embrace responsible security and privacy practices.

Spiezle also stated: “The internet economy runs on data. If this data is not secure and users have negative experiences, this ultimately threatens the future growth and revenue potential of the internet.”

Another survey – the 2017 CIGI-Ipsos Global Survey on Internet Security and Trust portrays the poor state of online trust. Concerns about privacy have increased and only about 50% of the surveyed people agreed that they trust the Internet.

Mitigation Measures

The OTA survey reveals that banks have to get their act together and enhance their security. Technology must be updated. Outdated, weak, and therefore vulnerable security protocols must no longer be used. Overall web security must be ensured through the implementation of a robust cloud-based endpoint security solution.