Experts say most banks’ online- and mobile-banking platforms aren’t likely vulnerable to attacks that exploit the Bash flaws known as Shellshock. But they say vulnerability scanning and customer education will be critical, as institutions work to ensure they find and eradicate all Shellshock flaws.
Banking regulators also have warned of possible fraud that could be linked to any number of Bash exploits, and say banking institutions must regard every Shellshock vulnerability as a serious threat. Banks and credit unions should have automated scanning in place to detect overlooked vulnerabilities that may exist in legacy code, and start patching Bash-using systems immediately.
“Automated scanning tools can also be configured to check the version of Bash installed on the bank’s systems and alert on any vulnerable versions they find, regardless of whether the Shellshock vulnerability is exposed via the Web server,” said Don Jackson, director of threat intelligence for online security firm PhishLabs.
Neira Jones, an independent cybercrime and payments fraud adviser, says in addition to working closely with security and network vendors, banking institutions should educate their customers about risks related to Shellshock.