Skip to main content

Debunking the web application attack surface for Credit Unions

Nicolas Renard and Stephane Konarkowski, Security Consultant Outpost24
Financial services are big targets for cybercrime. As the world shifts from physical to online, credit unions are doubling down on web applications to improve access and ensure vital financial services for their members. But with that comes greater security risks. In this benchmark study, we analyze the Top US Credit Unions with our attack surface analysis tool to highlight security weaknesses they should watch out for.
Web Application Security for Credit Unions

According to research, financial services organizations are 300 times more likely than other companies to be hit by cyberattacks. As cyber risk increases and hackers become more sophisticated it’s important for all credit unions, large or small, to demonstrate a robust cybersecurity risk management process and protect public-facing web services.

Credit Unions have a responsibility to secure their businesses from cybercriminals for their members, regulators, and customers to ensure risk is minimized and data breach is prevented at all levels. The result of the study highlights the most common attack vectors through aggregated risk scoring, enabling security professionals to take the right steps to mitigate the most imminent application security threats affecting their financial services operations and compliance status.

As we demonstrated in a similar study for Retail & Ecommerce last year, we used our unique web application attack surface tool Scout to unearth the digital footprint and potential application security exposure for the Top 10 U.S. Credit Unions by Assets** – from a list compiled by Segmint.

Key report findings:

  • Average attack surface score is 16.39 vs Retailers in our 2020 research at 48.29* (out of 58.24)
  • Top 10 US Credit Unions run 1,224 applications over 107 domains, with 3.76% of them considered as suspicious (e.g. test environment) and 10.13% of them running on old components that contain known vulnerabilities
  • Active Content Technologies (70.4), followed by Authentication (23.2) and Page Creation Method (22.1) are the top three attack vectors identified across Top 10 Credit Unions
  • On average, they have 17.4 open port 80, which can be dangerous when the service listening on the port is misconfigured, unpatched, vulnerable to exploits, or has poor network security rules



Are Credit Unions as secure as we think?

Using our multi-layered attack surface discovery model, the answer is yes but caution remains. Compared to the Top 10 retailers from our 2020 attack surface study we found the Top 10 Credit Unions have a lower web application attack surface score at 16.39 vs online retailers at 48.29 out of a total score of 58.24, meaning their application attack surfaces are smaller, and they are less likely to fall victim to security issues that can lead to malicious cyber-attack and data breach.


Average risk score retail comparison


This is likely because of the highly regulated business model Credit Unions operate in. Under NCUA and FFIEC guidelines, they must demonstrate a standard level of security hygiene to protect the company assets and customer data against cybercriminals. Regulations require Credit Unions to conduct regular penetration testing carried out by a competent specialist third party, and check adequate firewalls and ensure vulnerabilities are identified, analyzed, and patched within an agreed timeframe. However, our research showed the worst offender from the Top 10 Credit Unions returned a disproportionally higher attack surface score of 34.08, outweighing everyone else on the list and showing greater disparity in the security posture between Credit Unions.


us credit unions


With the average cost of a US data breach at $8.64m and members' money at stake, it’s unfathomable what the true cost would be if a web application breach occurred to one of the Credit Unions. In our study of the Top 10 Credit Unions, we found 1,224 publicly exposed web applications running over 107 domains, with 3.76% of them considered as suspect and 10.13% of them running on old components containing known vulnerabilities. ‘Suspects’ are often test environments that have been left online, intentionally or unintentionally, providing a potential backdoor for hackers to access the production database of a web application; using vulnerable components and servers also put Credit Unions in great danger as out of date systems can be easily spotted by hackers during reconnaissance and used for potential exploits.


Top attack vectors for Credit Unions

Our risk score (1-100) here is calculated by evaluating the Top 10 US Credit Unions’ internet exposed web applications against the seven most common attack vectors that hackers use during reconnaissance:

  1. Security mechanism (SM)
  2. Page creation method (PCM)
  3. Degree of distribution (DOD)
  4. Authentication (AUTH)
  5. Input vectors (IV)
  6. Active contents (ACT)
  7. Cookies (CS)


top 10 US Credit Unions


1. Active Content (70.4)

In first place, it’s no big surprise to see Active Content Technologies (ACT) as the biggest scorer. As soon as an application runs scripts, the attack surface could increase if a website has been developed using multiple active content technologies, some more vulnerable than others, to build and create their applications. A script can be a sequence of system commands to scripting languages used for system configurations in the form of VBScript, Javascript, and PowerShell. As Credit Unions undergo digital transformation to enhance the customer experience, reliance on third-party scripts to track the customer journey and monitor transactions may increase, giving hackers the opportunity to inject malicious scripts into your website and tamper with transactions or steal sensitive customer data. With such large volumes of assets and financial information at stake, continuous application security scanning should be made a top priority for Credit Unions, with ad hoc penetration testing becoming inadequate to identify real-time security issues, leading to delays in detection and remediation.



2. Authentication (23.2)

We’ve all seen the dangers of having insufficient authentication on web services – with insurance provider First American Financial Corporation accidentally exposing 885 million records without authentication with a web browser – seems like security 101 right? Well, it can go wrong as this breach proved. Authentication is essential for robust application security as it protects and verifies the identity of an individual accessing your application, which is critical to security monitoring of your application and keeps adversaries away from your crown jewels using restricted user levels set up by the administrator. Whilst this wasn’t the highest-scoring risk of our analysis it does require attention to ensure adequate authentication is in place.



3. Page Creation Method (22.1)

This relates to how the application has been built and identifies pages built on the server side. If undetected in the early stages of DevOps, vulnerabilities from insecure code or outdated versions increase the risks of hacking where an adversary can inject malicious script in the application URL, in order to be interpreted by the server and perform SQL injection or cross site scripting attacks. This type of vulnerability in the application code could allow cybercriminals into the Credit Union's back end to hijack and extrapolate information from databases and sell on to the Dark Web. Again, the 2 worst offenders from the Top 10 list scored significantly higher than the rest showing great discrepancy between the Credit Unions security hygiene standard.

In this attack surface spider map for the Top 10 US Credit Unions, you can see the average weightings of all attack vectors from our research (aggregated scoring), enabling credit union security professionals to have greater visibility on where the immediate threats are from cyber criminals, as an industry benchmark, so they can allocate resources accordingly and in a timely manner. Individual scoring available on request here.


attack vectors affecting credit unions


Other notable attack vector - open ports

Other common issues detected include usage of HTTP port 80 rather than the more secure HTTPS port 443. It’s no surprise to see the use of open ports to connect services to the internet, however a study has revealed 60% of breached organizations had 10 or more ports susceptible to unauthorized use – showing a correlation between the number of open ports an organization has and their likelihood to experience a data breach. With an average of 17.4 open port 80 each among the Top 10 Credit Unions (the worst offender had a whopping 46!), it’s important for security teams to identify open ports and close down those not in use or install firewalls on hosts to monitor and filter port traffic to prevent any security issues from creeping in. 

open port vulnerability

Best practice for securing your web applications

Our innovative Scout tool and a full suite of application security testing tools use the latest technology to find where you’re weakest from the hackers perspective and gives you the insights to stay ahead of the threats and prevent potential exploits. This enables security folks to take a more proactive approach to application security with expert findings to easily locate security issues in critical applications, even those you didn’t know existed – which can often turn into the prime targets if left unchecked. As cybersecurity budgets are stretched to cope with other operational security controls, we can help you spend this more wisely and advise on the best approach for securing your applications and protecting your operations from harmful data breach.



Request your full web app assessment




Our analysis of the Top 10 Credit Unions web application attack surface was conducted in 2021 and is based on the Top 10 as identified in the segmint list of the Largest US Credit Unions by Assets. All information collected and scanned are available from the public domain. At no point unauthorized access was used. All data is presented in an aggregated manner to ensure the performance and scoring of individual credit union remain anonymous. The report is used to provide a spotlight on the areas that could lead to potential security vulnerabilities and exposure (not a full vulnerability report), providing actionable insights to the industry on how to effectively monitor and score your application attack surface for effective remediation.

*the retail study score is translated based on proportional calculation of the previous version Outpost24 AS scoring model to the new version in 2021
**credit unions benchmarked in this study include (in no particular order): Navy Federal, State Employees, Pentagon, Boeing Employees, Schools First, First Technology, The Golden 1, Alliant, America First, Sun Coast 

Looking for anything in particular?

Type your search word here