Stay in touch

Enter your email and get the latest news and researches on cybersecurity, receive invitations to private security events and conferences.

Hacking Banking Websites: Myth or Reality?

November 12, 2013

To understand the scale of the issue, we decided to perform some simple research to find out how many financial institution websites had actually been compromised. Of course, many security incidents passed unnoticed or were covered up by the victims, therefore we used only public and open sources of information to collect our statistics.


Today more and more bank and financial websites are falling victim to hackers; while this is a worrying trend, these incidents do help raise awareness in both the corporate and public mind of the importance of web application security.

Many cases of suspicious activity and successful web hacks/security incidents in large financial institutions were brought to our attention by the international media and press this year. Many news stories, as well as some solid research, revealed how fragile the security of websites in the financial industry really is. According to Frost & Sullivan research 4 out of 5 websites are vulnerable today, 3 out of 4 network intrusions involve an insecure web application and a simple web vulnerability can compromise an entire organization.

To understand the scale of the issue, we decided to perform some simple research to find out how many financial institution websites had actually been compromised. Of course, many security incidents passed unnoticed or were covered up by the victims, therefore we used only public and open sources of information to collect our statistics. For the experiment we took the “WORLD'S 50 BIGGEST BANKS 2012” list provided by Global Finance magazine, which groups fifty of the world’s largest financial institutions. The research for each bank’s website consisted of three steps that can be easily reproduced by anyone:

  • Verification of the website presence on xssed.org (largest XSS archive)
  • Verification of the website presence on zone-h.org (largest defacement archive)
  • Search for the website presence on various security and hacking websites and blogs

To simplify our research we looked only at the main websites and subdomains of each bank, without taking into consideration regional websites. The results of our research were quite interesting and are provided in the table below:


Financial Institution Name
Number of
Web Security Incidents

Known Web Security Incidents
Deutsche Bank3 [2005] XSS Vulnerability
[2010] XSS Vulnerability
[2010] XSS Vulnerability
HSBC10 [2000] Website Compromise
[2008] XSS Vulnerability
[2008] XSS Vulnerability
[2009] XSS Vulnerability
[2009] XSS Vulnerability
[2009] Redirect Vulnerability
[2009] XSS Vulnerability
[2009] Website Compromise
[2012] SQL Injection
[2012] XSS Vulnerability
BNP Paribas6 [2003] Website Compromise
[2007] XSS Vulnerability
[2007] XSS Vulnerability
[2008] XSS Vulnerability
[2009] SQL Injection
[2011] XSS Vulnerability
Industrial and Commercial Bank of China4 [2007] XSS Vulnerability
[2007] XSS Vulnerability
[2010] XSS Vulnerability
[2012] XSS Vulnerability
Mitsubishi UFJ Financial Group0-
Crédit Agricole3 [2009] XSS Vulnerability
[2009] XSS Vulnerability
[2011] XSS Vulnerability
Barclays Group9 [2007] XSS Vulnerability
[2008] XSS Vulnerability
[2008] XSS Vulnerability
[2008] XSS Vulnerability
[2008] XSS Vulnerability
[2009] XSS Vulnerability
[2009] XSS Vulnerability
[2009] Redirect Vulnerability
[2009] XSS Vulnerability
Royal Bank of Scotland2 [2007] XSS Vulnerability
[2009] Website Compromise
JPMorgan Chase1 [2006] XSS Vulnerability
Bank of America12 [2007] XSS Vulnerability
[2007] XSS Vulnerability
[2008] XSS Vulnerability
[2009] Redirect Vulnerability
[2009] XSS Vulnerability
[2010] XSS Vulnerability
[2010] XSS Vulnerability
[2010] XSS Vulnerability
[2010] XSS Vulnerability
[2010] XSS Vulnerability
[2010] XSS Vulnerability
[2010] XSS Vulnerability
China Construction Bank0-
Mizuho Financial Group, Inc0-
Bank of China0-
Citigroup2 [2008] XSS Vulnerability
[2011] Website Compromise
Agricultural Bank of China0-
ING Group1 [2009] Website Compromise
Banco Santander4 [2007] XSS Vulnerability
[2007] XSS Vulnerability
[2008] XSS Vulnerability
[2011] XSS Vulnerability
Sumitomo Mitsui Financial Group0-
Société Générale1 [2012] XSS Vulnerability
UBS6 [2008] XSS Vulnerability
[2010] Website Compromise
[2011] XSS Vulnerability
[2011] XSS Vulnerability
[2011] XSS Vulnerability
[2011] XSS Vulnerability
Lloyds Banking Group0-
Groupe BPCE0-
Wells Fargo5 [2010] XSS Vulnerability
[2011] XSS Vulnerability
[2011] XSS Vulnerability
[2011] XSS Vulnerability
[2012] XSS Vulnerability
UniCredit0-
Credit Suisse1 [2011] XSS Vulnerability
China Development Bank0-
Rabobank0-
Goldman Sachs0-
Nordea2 [2008] SQL Injection
[2012] SQL Injection
Norinchukin Bank0-
Commerzbank AG1 [2010] Redirect Vulnerability
Intesa Sanpaolo0-
Royal Bank of Canada3 [2011] XSS Vulnerability
[2011] XSS Vulnerability
[2011] XSS Vulnerability
Banco Bilbao Vizcaya Argentaria0-
National Australia Bank0-
TD Bank Group0-
Bank of Communications2 [2005] Website Compromise
[2006] XSS Vulnerability
Commonwealth Bank of Australia0-
Westpac1 [2009] Website Compromise
KfW0-
Standard Chartered Plc6 [2007] XSS Vulnerability
[2010] XSS Vulnerability
[2011] XSS Vulnerability
[2011] XSS Vulnerability
[2012] Website Compromise
[2013] Website Compromise
Scotiabank (Bank of Nova Scotia)0-
Danske Bank0-
ANZ Group1 [2011] XSS Vulnerability
Dexia2 [2009] XSS Vulnerability
[2009] Website Compromise
DZ Bank0-
Banco do Brasil S.A.4 [2007] XSS Vulnerability
[2007] XSS Vulnerability
[2011] XSS Vulnerability
[2013] XSS Vulnerability
Bank of Montreal10 [2010] XSS Vulnerability
[2011] XSS Vulnerability
[2011] XSS Vulnerability
[2011] XSS Vulnerability
[2011] XSS Vulnerability
[2011] XSS Vulnerability
[2011] XSS Vulnerability
[2011] XSS Vulnerability
[2011] XSS Vulnerability
[2011] XSS Vulnerability
Banque Fédérative du Crédit Mutuel0-
Landesbank Baden-Württemberg0-

Publicly exposed web security incidents of world’s 50 biggest [2012] banks

Total websites analyzed: 50
Total websites impacted by web security incidents: 26/50 [52%]
Total websites impacted by low/medium risk incidents: 23/50 [46%]
Total websites impacted by high/critical risk incidents: 11/50 [22%]

Total number of incidents discovered: 102
Total low/medium risk incidents: 87/102 [85%]
Total high/critical risk incidents: 15/102 [15%]


Chart: incidents by country - orange bar shows incidents, blue bar shows number of banks
Chart: incidents by country - orange bar shows incidents, blue bar shows number of banks
Ilia Kolochenko, High-Tech Bridge CEO, says: "The numbers we see are quite impressive, even though our research only covered publicly-known security incidents and we didn't take into account the more common DDoS attacks or phishing campaigns as they do not involve security of web application directly. The statistics confirm that even financial institutions should pay more attention to their web application security, not only to protect their customers but to maintain their digital reputation. The fact that there are few security incidents publicly exposed in 2013 does not necessarily confirm that web applications are becoming more secure. It's more about new objectives of hackers - today they are not looking for glory but for profit, therefore don't make any noise and compromise web systems without being noticed."

Marsel Nizamutdinov, High-Tech Bridge Chief Research Officer, adds: "If one wants to know whether his or her website has been compromised in the past, he or she can use ImmuniWeb® Hacking Resources Monitor which performs much more in-depth and large-scale test. Customers who have made use of the ImmuniWeb® Hacking Resources Monitor have been very surprised by the number and scope of compromises it has discovered."




User Comments
Add Comment