Third-Party Impacts on Financial Websites: Insights and Data

Reflectiz has been active for the last couple of years in the landscape of cyber-security and, particularly web third-party components risk mitigation. Our solution uses machine-learning platform, based on a propriety browser with dedicated profiling and unique analysis methodology. These capabilities allow us to scan the entire third-party inventories for any given website and analyze the data within.

This article was published for the forthcoming Vendor & Third-Party Risk Europe conference, taking place in June 18-19, London, UK. Reflectiz will be co-sponsoring the event. For more details: www.cefpro.com/vendor-risk

The Financial Website Risk Survey
For the upcoming 4^th Annual Vendor & Third-Party Risk Europe conference, Reflectiz has been scanning more than 1,500 websites, including the top financial websites worldwide, particularly banks and credit card companies. The data collection was aimed to discover abnormalities and suspicious actions that affect the supply chain process and eventually generate privacy and security risks.

Third-Party Risks Findings

The actual data will remain confidential, but the findings themselves reveal an interesting overview regarding the amount of vulnerabilities and the risks third, fourth and even fifth parties present.

Our research team was focused on several potential instances. These include key-logging, device activation, the presence of unfamiliar external parties and the extensive use of open source code by internal development teams.

Third-party actions board sample, taken from one of the surveyed websites.
Source: Reflectiz third-party risk scan results, April 2019

What we have discovered so far?

To start with, the average amount of external parties was higher than predicted. Especially fourth-parties and beyond. Our findings indicate that an average website installs above 50 different third-party vendor components. Overall, the most interesting data shows an increasing amount of permissions granted to external components.

Source: Reflectiz 2016-2019

Abnormalities and semi-malicious activities

These types of actions include any suspicious behavior a third-party generates. In some cases, this involves an innocent occurrence, but as we all know the risk is always out there.

Keylogging user input fields

Keylogging – More than 80% of sites surveyed present at least 1 keylogging event. 30% of sites have more than 3 keylogging instances on a permanent basis.
The highest number of keylogging events spotted was 6 in a single site. Keylogging is used on websites to monitor visitors’ behavior, but at the same time it provides third-party vendors access to end-user sensitive data. This instance usually occurs with no monitoring ability or awareness of the website itself.

Third-party device activation

The most popular device activities are GPS, microphone and camera.
According to our estimations, at least 30% of device activities are not mentioned specifically in the terms of service and site’s privacy policy.

GPS activation was found on 18% of sites. This action constantly grows, as the demand for location services is rising, but it has to be dealt carefully.

Microphones are used widely for voice search, voice recognition and enhanced user experience. Typically, those actions are triggered by the end-users, not by external parties. Our findings indicate that 8% websites use this capability. Our research team predicts that the growing demand for voice recognition tools will increase the use of third-party microphone components. Due to the nature of voice recognition, financial websites should take more security precautions to protect themselves and avoid malicious behavior.

Cameras are rarely activated by external parties. According to our findings, this instance occurred only in 5% of sites. By default, website scripts, and third-parties within, cannot activate the device camera without active approval from the user. A third-party will ask a user permit first and will activate the camera only upon approval.

So far, we have presented only a small fraction of data insights collected by our scan platform. We look forward to meet you and share more insights during the 4^th Annual Vendor & Third-Party Risk Europe conference.

We are happy to announce that Reflectiz will be one of the co-sponsors of the 4th Annual Vendor & Third-Party Risk Europe 2019.
The event will take place in London, June 18th & 19th.
Our CEO, Idan Cohen, will join the a reporting panel discussion”Effective measurement and reporting of risks to provide comprehensive enterprise wide analysis”.

For more details visit: https://www.cefpro.com/vendor-risk

or contact us: info@reflectiz.com

What really happens when your accessibility extension becomes an immediate suspect that is threatening your site?

In early April a group of cyber researchers issued a security warning regarding a third-party accessibility supplement called “Negishim”. The warning was referring to a series of suspicious actions allegedly made by “Negishim” and to the vague identity of the vendor that offered the supplement. The message between the lines was clear: terror organizations might be using this third-party accessibility extension as a spying tool.

 The “Negishim” Red flag

Besides functioning as an accessibility component, “Negishim” was also monitoring users’ digital fingerprints. This action and the fact that the identity of the “Negishim” operators remained unknown, were indeed alarming. A red flag was raised. Since many Israeli sites have already implemented “Negishim”, the recommendation was simple: “Remove!”

Is it a legitimate data collection and who’s behind it?

“Negishim” had a dual problem. First, there was an entity that provided the accessibility tools: it wasn’t an identified entity and it did not provide contact information. The second problem was the data collection. It did seem a bit alarming that an unknown Israeli entity allows any site to use a third-party code that grants permission to do everything on the site. Thanks to our cooperation with the National CERT, we managed to clear the Negishim from suspicion and make sure its operators are legitimate. However, we still wanted to check if information was taken, and if so – what data was taken.

How it works?

“Negishim” is an accessibility tool. Its modus operandi is generated to make it possible to adapt the site to accessibility laws. However, behind the scenes this tool uses a library named fingerprint2. For those of you who are interested, this is an open-source library located on GitHub under the following address:  https://github.com/Valve/fingerprintjs2. It is important to note here that this is not a malicious source, but a perfectly valid library. One that runs multiple tests on users’ browsers simply to identify them.

Indeed, this tool was able to gather large chunks of information about the end-user’s computer and browser. This action is generated in accordance to the available options provided in the browser. The purpose of it, among other things, is to assist widely used accessibility components to do a better job.

Technology through the looking glass

On a deeper overview, it seems that although large amounts of data were collected, the only piece of information that has been delivered back to “Negishim” was a general signature (HASH) of all collected components. This procedure was performed by the following function:

In other words, the actual information was not delivered to an external party. The only component that was essentially sent, was only a “general signature”. One that we believe is designed to identify the user’s computer in a defined way. Please note that this signature will actually change even as a result of any minor change that occurs on the end user’s computer. Moreover, assuming that there is an offensive intention, it will not be possible to identify the user’s computer details through its signature since this is only a general identifier.

Side notes

The “Negishim” warning demonstrates how vulnerable these components might be. Like any third-party, in this case “Negishim” gained permissions to perform manipulations on the site. Third-party code, by definition, is completely controlled by an external vendor or entity. It can undergo changes and modifications, while site administrators, or security personal will know nothing about it. A third-party script can do anything, including fingerprinting, keylogging and data theft. Once it’s there and without proper control, site owners are helpless and exposed.

In our view, no significant user information leaks occurred. Neither did any data that affects user privacy was leaked. In this case, the entity behind the extension was defined as legitimate. Accordingly, and in our professional judgment, the accessibility tool itself is also legitimate. However, it would be totally acceptable if sites choose to prefer not send this information.

We should also note that the fact that the “Negishim” supplement operators chose to send only the HASH and not all the details, was theirs. In the exact same way, that choice could have been altered by their own discretion. Such instance could have easily been done with no supervision or knowledge of the site that Negishim was installed in.

We would like to thank the information security researchers, who examined the case and put the issue on the agenda for further inspection and deeper control.

On March 2^nd a severe defacement attack hit dozens of Israel’s leading sites, leaving them with a new main featured headline: “Jerusalem is the capital of Palestine”. The long list of affected websites including Ynet, Calcalist, Ivrit, Makor Rishon and dozens of others that also suffered identical web-page damages.

(more…)

Every website owner knows that third-party tools can be a fantastic asset to their site, making it more interactive, more dynamic, and better connected. These tools can also play a really important part in your website’s revenue stream. This is why your average website today is likely to have over 100 third-party apps on it, in the form of interactive bots, user engagements widgets, cloud storage providers, social media buttons, trackers, analytic tools, advertisements, and more.

Risks of Using Third-Party Apps, Services, and Tools

However, these same tools carry with them major risks to your website’s performance, privacy, and security. When embedding third-party scripts to their sites, companies, online publishers and digital media may well run multiple checks on these systems. But it’s important to be aware that even despite the best and most careful tests, third-party services can change and evolve without any required permission from your website – which could be a massive blind spot in the security of your enterprise. This lack of control could have real and serious consequences for all of your software and data.

3^rd Party Security Threats and Cyber-Attacks

Security flaws in the scripts provided by third-party services could open up your door to cyberattacks, giving hackers the chance to access your most sensitive data. In fact, a whopping 63% of data breaches are a direct result of bad outsourcing decisions made by companies.
On top of this risk, not all companies are aware of the fact that most third parties are using other third parties themselves, and bringing them to your website, which means that one breach of security can all too easily lead to another one further down the line.

Privacy and GDPR Concerns and Third Party Technologies

As of May 25, 2018, the EU’s General Data Protection Regulation (GDPR) laid out new laws that protect people’s personal data. It states that organizations are held accountable for any data breach caused by a third party, and could face fines of up to 4% of the company’s annual turnover, or €20 million – whichever is greater. When third-party services collect data on an end-user there is always the risk that this could cause a breach of privacy. Now that we know about this risk, it is the responsibility of your company to monitor all activity and make sure you are protected.

Website Performance Issues and Third Parties

Embedding third-party scripts is also a major cause of performance slowdown in websites.
Even tools that promise to be “just one line” of script can slow down your site by more than 25% – which could offset the reasons for wanting the tool in the first place! As a result, browsers are working so hard to load the third-party content that there is a significant delay in getting the basic content of the site onto the screen, which is what the user ultimately wants. Even though many companies and website owners are fully aware of the dangers of using third-party scripts, very few of them have the resources to deal with fighting these risks. It’s so important for organizations to keep checking and re-assessing their programs, because third-party technologies can be pretty unpredictable as it evolves with time – and as a site owner, you will receive no update when these changes happen.

So, what can you do to tackle these risks and stop your company from becoming one of the statistics and How Reflectiz Can Help?

Digital technology intelligence company Reflectiz helps companies stay safely in control over their websites, digital services, and online assets. While there are already solutions on the market that offer to scan activity on web pages, Reflectiz takes a bigger-picture scan of the whole site. This way, they are able to find out everything that happens, including third-party activity, and bring you clear aggregated results.

Everything You Need to Know About Your Third Party Apps. There’s No Need for Any Download or Exhausting Installation!

Trying to integrate more systems and software to fix certain issues can often end up leading to even more problems. Reflectiz is offering a seamless integration that is user friendly and doesn’t need any tricky installation It works by simulating browser behavior and linking every action to its relevant technology source – so companies get clear results of exactly what’s happening online, and how the technologies they use are affecting their clients’ experience.

Bottom Line

In short, third-party scripts are putting your website in real danger. Reflectiz offers the only way to gain full control over all your performance and security issues, privacy concerns, UX effects, integration processes, and lots more. And this can all be done effortlessly, without the need for any intrusive integration or download.

The world has never been more connected – and it’s time to take full control of the advantages without being afraid of the risks!

For more details, please contact us now: info@reflectiz.com

Let’s imagine for a second you’re writing a technology that is meant to be integrated with another web application. You might believe you have total control over your technology’s performance. (more…)

While most websites monitor their third-party technologies for load speed, most of them don’t realize that in addition to the regular load time, many applications also run an initialization phase “boot action”, post-loading. These actions usually complete after the page is displayed
to the user, but not usable, and can cause severe lag and bad user experience.

In one of our recent regular scans of top sites worldwide, (more…)

Did you hear how Ad-Blocker Plus is increasing their revenue? By selling Ads!

Yes, you heard it right. The monopoly Ad-Blocking company, Ad-Blocker Plus has decided to offer a new surprising service which is ads. This service allows publishers to advertise with Ad-Blocker Plus ad-exchange that follows the “acceptable-ads-program” and get white-listed by their add-on. The offered revenue model will be 80% publisher and 20% Ad-Blocker and other companies involved at the market. (more…)