Cyberthreats and bad experience — why financial institutions aren’t prepared for the future

Cyberthreats and bad experience — why financial institutions aren’t prepared for the future

Financial institutions are under siege by cybercriminals. Banks, credit unions, insurance, and investment firms are attacked 300 times more often than companies in other industries. Even more shocking, 97 percent of the largest banks are considered vulnerable to web or mobile attacks. 

In the past few years, financial institutions have lost billions, including more than $1.8 billion from SWIFT — the leading global network for money and security transfers — infiltration, state-sponsored attacks ranging from $10 million up to $81 million, and a $1.2 billion dollar attack on 100 financial institutions across 40 countries.

In addition to the stolen funds, an average data breach costs more than $18 million in fines, legal costs, and lost business due to a damaged reputation. More than one in four people switch banks due to unauthorized account activity.

To make a bad situation even worse, government regulations and security compliance (PCI, GDPR, etc.) can conflict with customer needs. For example, banks in the UK recently had to choose between implementing recommended browser security requirements and maintaining a website that could still be accessed by customers with older devices and operating systems.

Understanding the value of Instart security solutionsRelated White paper

Banks and other financial institutions also suffer the consequences of lax security in other industries. Because internet users tend to use the same username and password for multiple sites, it’s possible for cybercriminals to access a banking account with, for example, a hotel loyalty program login. With at least five new data breaches occurring every day, the supply of stolen logins is nearly endless. 

Here are the top three web application security threats facing financial institutions. 

1. Credential stuffing and bad bots

The financial industry is the number one target for bad bot attacks. During a credential stuffing attack, bad bots attempt to access a website by trying thousands of stolen login credentials. With bot attacks, traffic often comes from hundreds or thousands of different machines instead of a single source. These bot networks (botnets) allow attackers to circumvent protections such as automatic lockouts which tend to operate by blocking login attempts from a specific source after a number of failed attempts. With credential stuffing, login attempts come from many different sources, so simply look like regular user login attempts.

Even in instances where protections are in place, sophisticated bots will bypass them by utilizing techniques, such as distributing traffic from many different hacked end-user PCs instead of single origins.

Bad bots may also attempt to take advantage of promotions and giveaways, automating the completion of forms or the opening of accounts using stolen social security numbers and personal information in an attempt to obtain opening bonuses etc.

2. Third-party JavaScript attacks

Banks are also at risk from their supply chain partners and third-party code. Traditional website security can only detect malware transmitted via links or incoming files, it cannot safeguard against malicious JavaScript that loads in the browser. This blind spot creates a massive hole where criminals can reach in and vacuum up precious customer data.

In 2018, the hacking groups referred to as Magecart corrupted a retargeting script and gained access to customer data from nearly 300 eCommerce websites. Magecart was also able to sidestep British Airways’ website security in a similar manner and skim personal and payment information on an estimated 500,000 customers.

Magecart’s attack on British Airways lasted 15 days, and its skimming attack on Newegg lasted more than a month. The hackers created false payment processing domains with names similar to the real domain ( and and used legitimate SSL certificates to prevent their criminal activities from being red flagged.

3. Cross-site scripting (XSS) and SQL injection (SQLi) 

All applications are developed using a combination of technologies – and financial web apps and websites are no different. They leverage code libraries and plugins to add functionality or tracking. With all these moving pieces, as well as pressure to meet consumer expectations, development resources are stretched. It’s easy to make mistakes and leave bugs in the code — and it’s these vulnerabilities that attackers exploit through cross-site scripting and SQL injection. In fact, cross-site scripting vulnerabilities and insufficient protection for data exfiltration have been the two most common banking vulnerabilities since 2017. 

Successful SQL injection attacks can yield massive caches of data, especially in situations where attackers are able to dump an entire database table. One of the things that makes SQL injection attacks so damaging when successful is that attackers are able to perform them quickly leaving minimal time or detection and interception.

SQL injection attack methods will also likely be re-used as organizations look to use newer technologies, such as ElasticSearch. While the various libraries may mature over time, there will likely be similar user-input sanitation challenges that are experienced with SQL — meaning injection attacks will continue to be an issue in the future. 

On-demand webinar7 common web application security attacks and what you can do to prevent themWatch now

Ignoring the need for better web experiences is not an option

Financial institutions are also under pressure from customers who expect their bank to deliver the same great web experience they get from entertainment and online shopping sites while securing their user data and keeping their transactions safe — at a recent Forrester Research event, a speaker from Lincoln Financial stated that he never thought he would be competing with Netflix! 

Experts estimate banks that don’t create a modern website experience could lose millions, even billions of dollars in the next ten years, depending on the size of the bank. For most businesses, the most cost-effective way to improve web security and performance is to move some or all of their applications to the cloud, but financial institutions are understandably hesitant.

Instart helps financial institutions manage all their top website priorities, including strong security, exceptional web experiences, and financial goals. Instart protects the entire traffic path from your infrastructure and extends beyond the edge to the browser where customers and attackers interact with your web app or website.

The Instart web app and API protection (WAAP) platform provides comprehensive security, including a web app firewall (WAF), DDoS mitigation, bot management, as well as control of your third-party tags to:

  • Identify and block credential stuffing and other types of attacks engineered by sophisticated bots.
  • Prevent Distributed denial-of-service attacks (DDoS), cross-site scripting(XSS), SQL injection (SQLi), and more. .
  • Provide deep browser-level controls to protect form fields and cookies from unauthorized third-party access.

Instart helps to fully protect your brand from the latest malicious threatsRequest a demo