ICT Research Institute Co., Ltd. (Chiyoda-ku, Tokyo), summarized the results of “Internet banking security situation survey” on February 10. This survey focused on the management status of the bank’s website and Internet banking site and security evaluation for the period from August 2013 to December 2013. In searching and evaluating, we cooperated with Belue Creative that provides the information security diagnostic services.
The users of Internet banking are increasing year by year, and the utilization rate of bank service users has reached 65.2% (* 1). Various financial services such as transfer via the Internet, transfers, and inquiries of balance are easily accepted, thereby improving the convenience of bank service for the users, so the utilization rate is increasing. However, while various online services became easier to use, the damage such as illegal remittance of deposits and savings from Internet banking accounts has increased, and the amount of damage last year was the worst in the past. The number of damages in 2013 was 1,315, totaling 1,460 million yen, which is about four times higher than in 2011 (* 2).
Many of those fraud damage are caused by impersonation such as phishing fraud and illegal acquisition of ID and password. In order to prevent fraud, the security requirements from users are increasing for banks’ homepages and Internet banking sites, and it is mandatory to deal with Internet banking more safely. Against this backdrop, the needs of users to grasp the current state of security of domestic banking websites and to receive safer services is increasing year by year. Therefore, in this survey, we survey the security trends of the websites and Internet banking sites of the 123 banks that provide Internet banking services.
Note: The high authentication / level mentioned here means that the site has acquired “EV SSL Certificate”, which corresponds to “SGC (Server Gated Cryptography)” and has high encryption strength.
In addition, while acquiring the EV SSL certificate and the certification level was high, but the banks not supporting SGC were 15.3%. Next, those with high cryptographic strength and weak authentication levels (only SGCs supported) are 8.1%, and those with weak of both authentication and encryption levels (without certificate) are 0.8%. Therefore, 91.1% of the sites have acquired EV SSL certificates with high security reliability and can evaluate that they are dealing with Internet banking safely. On the other hand, at 8.9% of the sites, the problems to be improved on security were found. For those sites, it seems preferable to take countermeasures to prove the authenticity of the site management organization and the authenticity of the site at a high level, and measures to prevent eavesdropping / tampering of communication data more strongly .
As for the service provider of the 123 Internet banking sites surveyed this time, the number of banks using NTT Data’s services (Anser Para SOL etc etc) was the largest at 42.3%. Next, 10.6% of the banks are Hitachi ‘s service (FINEMAX etc), and 2.4% of the banks are NEC’ s services. The other banks are operating the servers themselves or jointly operate servers with multiple banks in accounting for 44.7% of the total.
Next, as a result of examining the security situation of the web server used on the bank’s website etc., the security problems were found in 21 banks’ web servers (applications) corresponding to 17% of the total. In the homepage of some banks, the information of the web server is readily visible from the outside, and may be attacked in some cases. These web servers are vulnerable to security problems and there are security issues such as leaks of system related information, so it seems necessary to further strengthen the website in the future.
84% of bank websites use Apache HTTP Server. The one using IBM and Microsoft will stay in a few. On the website of the banking website, the one using the Apache (Apache) HTTP server as the web server application is the most frequent, with an overwhelming market share of 83.7% of the total. The Apache HTTP server is the web server software that has been used on the most websites worldwide, and it is an open source software that has been improved among users. In recent years, the web server software such as Microsoft IIS web server has emerged, and Apache’s share in the world’s web site has fallen to about 50%. But it seems that the web site of the domestic bank still boasts high popularity. Among the web server software used on the website of 123 banks, the share of IBM HTTP server and Microsoft IIS is 2 to 3%. Microsoft IIS, which has recently increased its market share in the world’s web server software market, has not been introduced so far at the bank’s website. In addition, the users of Internet banking are expected to expand in the future, so the security measures on the bank’s website become more important than ever. Many banks are working on improving the ease of use of the homepage and strengthening security, and it is expected that the website will continue to develop and improve continuously in the future.
For survey result · estimation data of this document】
* For inquiries about survey and survey result data etc, please contact info@ belue-c.jp or by inquiry form.