This post was originally published here.
Booksellers and electronics retailers aren’t the only brick-and-mortar businesses challenged by the rise of highly agile, online-only competitorsātraditional retail banking institutions also face stiff competition from Internet-basedĀ consumer banking upstarts. But are these born-in-the-cloud banks and financial services offerings safer than their traditional counterparts? Let’s take a look at the leading onlineĀ banks to see ifĀ they’re equipped to handle today’s cyber threats.
According toĀ recent numbers,Ā 81% of those responsible for managing household finances have done so via the webĀ in the previous 12 months, making up a whopping 69 million Americans who currently bank online. However, the numbers behind the banking industry’s digitalĀ renaissance aren’t all rosy adoption metrics: last year’s Bangladesh Central Bank heist would have surpassed $1 billion in stolen funds, if not for a hacker’s typo (theyĀ still managed to get away withĀ $80 million).
FREE DEVOPS AND SECURITY EBOOKS
Traditional banking institutions face a myriad of security challenges inĀ digitizingĀ their products and services, but how do online-only banks compare when it comes to cyber resilience? Does having a digital DNA from the outset result in more resilient online banking services? Let’s find out.
Online Banking Roundup
All of the following online-only retail banking firms lack physical branch locations and process transactions entirely online. A fewāmost notably Synchrony Bankāwhite label their consumer credit offerings to major brands like Amazon, Walmart, and Guitar Center, to name a few.
1. Goldman Sachs Bank – 836 out of 950
Referred to as GS Bank for short, this online-only consumer bank is a subsidiary of the century-old investment banking giant. How resilient are its efforts in transitioningĀ from “Wall Street to Main Street”? An expiring SSL certificate and lack of DNSSEC are its only website perimeter security isses.
2. Synchrony Bank – 834 out of 950Ā Ā
You may not have heard of Synchrony Bank, but if you have anĀ Amazon.com or Amazon Prime Store Card, you’re likely a banking customer of theirs. Despite its strong 834 CSTAR score, a handful of security issues likeĀ missing HTTP transport security, server information leakage, and lack of DNSSEC could lead to a data breach.
Ā
Utah-based Ally Bank offers a range of consumer banking products: savings, checking, money market, certificate of deposit (CD), and IRA CD accounts, all online-only.
Its good but less-than-perfect 836 CSTAR score is a result of several flaws in its website perimeter securityāserver information leakage, lack of HTTP strict transport security, and missing DNSSEC.
Prepaid debit card issuer Green Dot launched GoBank in 2013 as a mobile-only banking institutionāeverything fromĀ opening accounts and ordering debit cards to paying bills is done exclusively via its mobile app. Unfortunately, its website’s SSL certificate is cause for concern, to put it mildly.
Its mobile web presenceĀ m.gobank.comĀ scores a strong 808 CSTAR rating, but falls short due to several security flaws including server information leakage, missing HttpOnly/secure cookies, and disabledĀ DNSSEC.
5. Radius Bank – 884Ā out of 950
Boston-based Radius Bank was founded in 1987 by the Massachusetts Carpenters Combined Pension and Annuity Fundsācreated by/for local union carpenters. The company recently transitioned to digital-only banking services, folding its 6 retail brances into 1 as part of its bank “virtualization” efforts. Security flaws such asĀ lack of DMARC and missing DNSSEC mar its otherwise respectableĀ 884 CSTAR score.
6. Bank of Internet USA – 789 out of 950
Founded in 1999, Bank of Internet USA was one of the first banks worldwide to offer Internet-only consumer deposit accounts and loansāin fact, the company holds the enviable title of the oldest Internet-only bank in the United States. Its 789 CSTAR score is a reflection of various security gaps: lack of HTTP strict transport security, missing secure cookies, and disabled DMARC/DNSSEC.
Like GoBank, Portland-based Simple offers online-only banking services that focus on mobile devices. The company is part of the STAR network and issuesĀ FDIC-insured checking accounts exclusively to U.S. citizens viaĀ itsĀ partnership with The Bancorp. The company scores a strong 880 CSTAR score, despite security flaws likeĀ missing DMARC and lack of DNSSEC.
8. BankPurely – 656 out of 950
In case you were wondering if there’s such a thing as green banking, this is (presumably) it:Ā BankPurely’sĀ online-only bankĀ wasĀ “specifically crafted for ethical consumers with greater awareness about environmental and social issues.”Ā Or in other words, digital banking saves trees. Its CSTAR score of 656Ā suffers due to server information leakage, missing secure cookies, lack of DMARC/DNSSEC, andĀ other flaws.
Conclusion
In general, the leading online-only banking institutions have most of their bases covered in regards toĀ cyber resilience and security fitnessāthough none were able to achieve an excellent CSTAR rating. Want to learn more about UpGuard’s CSTAR cyber resilience rating methodology? You can start byĀ givingĀ UpGuard’sĀ risk graderĀ web applicationĀ andĀ chrome extensionĀ a free spin to instantly validate a website’sĀ security posture.Ā
Photo:RecruitingBlogs
