Attackers can access personal data and other sensitive information from virtually every online bank, according to a Thursday report from Positive Technologies.

Most online banks contain critical vulnerabilities that could wreak major havoc if exploited, the report found. More than half (54%) of online banks allowed fraudulent transactions and theft of funds, and all had threats of unauthorized access to client and company information such as account statements and payment orders.

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)

Some 77% of online banks had security flaws in their two-factor authentication methods. In some cases, vulnerabilities allowed attackers to hack into the bank’s corporate network, the report found.

Much of this information ends up on the Dark Web. The average cost of an online bank user’s data on the Dark Web is just $22, according to the report–a low price tag for a major disruption to a professional or consumer’s life.

Some of these security issues stem from banks not using one-time passwords for authentication, or allowing old passwords, which are more likely to be compromised, Positive Technologies cybersecurity resilience lead Leigh-Anne Galloway said in a press release. These issues are likely due to banks wanting to remain secure, but user-friendly, she added.

“Foregoing security measures in favor of customer convenience increases the risk of fraud,” Galloway said in the release. “If there’s no need to confirm a transaction with a one-time password, the attacker no longer requires access to the victim’s smartphone, and an old password increases the chances of it being brute forced. With no limit applied to it, a one-time password of four symbols can be cracked within two minutes.”

For more information on how to avoid top malware threats, including those found in banking apps, check out this TechRepublic story.