English Japanese
Belue Creative, Information Security Services, Information security management

Result of security survey of Internet banking

Increasing Internet banking illegal remittance damage

ICT Research Institute Co., Ltd. (Chiyoda-ku, Tokyo), summarized the results of “Internet banking security situation survey” on February 10. This survey focused on the management status of the bank’s website and Internet banking site and security evaluation for the period from August 2013 to December 2013. In searching and evaluating, we cooperated with Belue Creative that provides the information security diagnostic services.
The users of Internet banking are increasing year by year, and the utilization rate of bank service users has reached 65.2% (* 1). Various financial services such as transfer via the Internet, transfers, and inquiries of balance are easily accepted, thereby improving the convenience of bank service for the users, so the utilization rate is increasing. However, while various online services became easier to use, the damage such as illegal remittance of deposits and savings from Internet banking accounts has increased, and the amount of damage last year was the worst in the past. The number of damages in 2013 was 1,315, totaling 1,460 million yen, which is about four times higher than in 2011 (* 2).
Many of those fraud damage are caused by impersonation such as phishing fraud and illegal acquisition of ID and password. In order to prevent fraud, the security requirements from users are increasing for banks’ homepages and Internet banking sites, and it is mandatory to deal with Internet banking more safely. Against this backdrop, the needs of users to grasp the current state of security of domestic banking websites and to receive safer services is increasing year by year. Therefore, in this survey, we survey the security trends of the websites and Internet banking sites of the 123 banks that provide Internet banking services.

1% of individual Internet banking sites utilize certificates with high authentication level

Note: The high authentication / level mentioned here means that the site has acquired “EV SSL Certificate”, which corresponds to “SGC (Server Gated Cryptography)” and has high encryption strength.

In addition, while acquiring the EV SSL certificate and the certification level was high, but the banks not supporting SGC were 15.3%. Next, those with high cryptographic strength and weak authentication levels (only SGCs supported) are 8.1%, and those with weak of both authentication and encryption levels (without certificate) are 0.8%. Therefore, 91.1% of the sites have acquired EV SSL certificates with high security reliability and can evaluate that they are dealing with Internet banking safely. On the other hand, at 8.9% of the sites, the problems to be improved on security were found. For those sites, it seems preferable to take countermeasures to prove the authenticity of the site management organization and the authenticity of the site at a high level, and measures to prevent eavesdropping / tampering of communication data more strongly .

NTT Data ranked number one in the service provider’s share of Internet banking sites

As for the service provider of the 123 Internet banking sites surveyed this time, the number of banks using NTT Data’s services (Anser Para SOL etc etc) was the largest at 42.3%. Next, 10.6% of the banks are Hitachi ‘s service (FINEMAX etc), and 2.4% of the banks are NEC’ s services. The other banks are operating the servers themselves or jointly operate servers with multiple banks in accounting for 44.7% of the total.

17% of the bank’s homepage has security issues

Next, as a result of examining the security situation of the web server used on the bank’s website etc., the security problems were found in 21 banks’ web servers (applications) corresponding to 17% of the total. In the homepage of some banks, the information of the web server is readily visible from the outside, and may be attacked in some cases. These web servers are vulnerable to security problems and there are security issues such as leaks of system related information, so it seems necessary to further strengthen the website in the future.

84% of bank websites use Apache HTTP Server. The one using IBM and Microsoft will stay in a few.

84% of bank websites use Apache HTTP Server. The one using IBM and Microsoft will stay in a few. On the website of the banking website, the one using the Apache (Apache) HTTP server as the web server application is the most frequent, with an overwhelming market share of 83.7% of the total. The Apache HTTP server is the web server software that has been used on the most websites worldwide, and it is an open source software that has been improved among users. In recent years, the web server software such as Microsoft IIS web server has emerged, and Apache’s share in the world’s web site has fallen to about 50%. But it seems that the web site of the domestic bank still boasts high popularity. Among the web server software used on the website of 123 banks, the share of IBM HTTP server and Microsoft IIS is 2 to 3%. Microsoft IIS, which has recently increased its market share in the world’s web server software market, has not been introduced so far at the bank’s website. In addition, the users of Internet banking are expected to expand in the future, so the security measures on the bank’s website become more important than ever. Many banks are working on improving the ease of use of the homepage and strengthening security, and it is expected that the website will continue to develop and improve continuously in the future.

  • ※ 1 Source: JBA “Questionnaire for Better Banking 2012 Year”
  • ※ 2 Source: National Police Agency “About the occurrence situation of illegal remittance offenses related to Internet banking in Heisei 25”

【Terminology】

  • SSL (Secure Sockets Layer): An internet protocol to prove the existence of the site operation organization and the authenticity of the site. Enable SSL encrypted communication between browser and web server.
  • EV SSL (Extended Validation SSL certificate): SSL corresponding to the “EV Certificate Guidelines” that defines examination items and procedures for acquiring certificates. Only certification authorities that meet certain criteria can obtain certificates based on the guidelines.
  • SGC (Server Gated Cryptography): A technology that automatically steps up a connection from a browser that can only use 40-bit or 56-bit SSL encryption to 128 bits.
  • If the certificate is compatible with SGC function, SSL communication with 128 bit secure encryption strength is possible even for clients using older browsers that only supports low encryption strength such as 40 bit, 56 bit etc
  • Apache HTTP Server: World’s most used web server software.
  • Microsoft IIS: Microsoft web server software.

For survey result · estimation data of this document】

  • All texts, numbers, tables, and graph data in this material are those described and estimated by our analysts based on the interviews and questionnaire survey conducted by the ICT Research Institute staff, but there may be the cases that are different from the published values of the companies and public organizations.
  • All texts, numbers, tables, and graph data in this document are those at the time of publication, and the forecast data etc. may be changed without notice based on changes in the market environment etc. and subsequent analysis.
  • When reprinting sentences, graphs, etc. described in this material into news reports, various white papers, seminar materials, academic research materials etc, please add notation such as “ICT Research Institute Survey” or “Source: ICT Research Institute”.

* For inquiries about survey and survey result data etc, please contact info@ belue-c.jp or by inquiry form.