Security flaws in mobile banking apps identified by researcher

Out-Law News | 13 Jan 2014 | 4:59 pm | 2 min. read

A researcher has identified a range of security vulnerabilities in mobile banking applications which could be used by hackers to steal money from customers.

Ariel Sanchez used Apple iPad or iPhone devices to test 40 mobile banking apps operated by some of the world's biggest financial institutions. Among the findings, Sanchez said that some of the apps left "sensitive information" exposed and that log-in systems for others were not as robust as they could be. Sanchez notified some banks about the vulnerabilities identified in the research.

"70% of the apps did not have any alternative authentication solutions, such as multi-factor authentication, which could help to mitigate the risk of impersonation attacks," Sanchez said in a blog.

"Most of the logs files generated by the apps, such as crash reports, exposed sensitive information. This information could be leaked and help attackers to find and develop [zero] day exploits with the intention of targeting users of the application," the researcher added.

Zero day attacks are where hackers exploit a previously unknown weakness in systems.

Sanchez said that a fifth of all the apps tested failed to encrypt "activation codes" when they were communicated from the device to the bank's server.

"If an attacker intercepts the traffic he could hijack a session and steal the victim’s account without any notification or evidence to detect the attack," Sanchez said.

Sanchez also said that hackers may be able to exploit other weaknesses in security to gain access to bank systems and deploy malicious software. This could cause "a massive infection for all of the application’s users".

Sanchez further warned that a failure to encrypt other data stored by some of the apps raised the potential for that data to be accessed by hackers.

"After taking a close look at the file system of each app, some of them used an unencrypted ... database and stored sensitive information, such as details of customer’s banking account and transaction history," Sanchez said. "An attacker could use an exploit to access this data remotely, or if they have physical access to the device, could install jailbreak software in order to steal to the information from the file system of the victim’s device."

Sanchez said that banking apps should transfer data over secure connections and data should be encrypted when stored on the "client side". The researcher also said that more checks were needed to ensure Apple devices could not be 'jailbroken' – a procedure that allows device users to make changes to the functionality of devices, such as through installing unauthorised software, beyond what the manufacturer of the devices intended.

"Home banking apps that have been adapted for mobile devices, such as smart phones and tablets, have created a significant security challenge for worldwide financial firms," Sanchez said. "As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions."

The European Central Bank proposed the creation of a raft of new mobile payments security standards that payment service providers (PSPs) such as banks and 'mobile payment solution providers' (MPSPs) should have to adhere to in November last year.