Banking

🔎 Major Findings Across Sectors

The co-operativebank.co.uk was the standout performer in the sector, despite the need for protection of PII and to protect customer transactions for the major banks.

Some of the major high street banks were overly reliant on MFA, relying on the two-factor authentication methods alone to enforce login. This can potentially make these sites vulnerable to site cloning and other “man in the middle” attacks which gain access to the multifactor token or device directly.

‍

‍

The weaker banks mostly showed exposure to account take-over attacks, which could lead to a major breach and compromised accounts, in the event of a breach in the multi-factor authentication method. Typically these attacks will use social engineering, sometimes using GenAI techniques, or site cloning to gain access to the token or device used to authenticate the login. Once the login token is compromised, automated agents login to the banking portal with the compromised account, and the correct credentials. Over reliance on just the MFA in this way can lead to data breaches.

‍

On the worst performing domains, automated bots were able to scan, map, and interact with authentication services without encountering rate limits, anomaly detection, or session validation controls. Infiltration rates reached up to 95% on some domains, confirming a near-total absence of active defensive interception.

‍

In many sites no behavioural response to bot-generated input or repeated access attempts was detected. Although all sites had Web Application Firewalls (WAFs) deployed, our simulations were able to complete reconnaissance and interaction phases without challenge - highlighting the limitations of legacy, perimeter-centric defence strategies.

‍

VerifiedThreat assessments highlight which organisations:

Understanding sector dynamics allows businesses to:

‍