Banks are constantly encouraging us to move our money to their mobile banking apps and cashless formats for convenience and speed, but at the same time the threat of cybercrime keeps on growing and improving its methods. Doubts over mobile security have, however, kept a sizable percentage of consumers from adopting mobile banking into their everyday lives. Security concerns have also caused banks themselves to hesitate offering all kinds of financial services through this channel.
Recently the FBI warned of increased hacking risks when using mobile banking apps, even financial regulators such as the U.S. Federal Reserve and the Payment Services Directive of the European Union have warned that mobile banking may help to address some challenges consumers face, but definitely needs to become more trustworthy.
So we all should be asking ourselves: Is my bank doing enough to protect my money?
Most people don’t know if the mobile banking app they are using meets the mobile application security standards required, like the OWASP or PSD2.
Not long ago, multiple cyber security companies decided to analyze and evaluate the security in most mobile banking apps, both for Android and iOS users. It was not a surprise when the fact that we are at risk of easily losing our money if we currently use a mobile banking app came as a result.
During one of these evaluations, 62 top world banks were considered. Each bank had a mobile banking application, both for Android and for iOS. Let’s have in mind that each of the banks in this evaluation had assets over $50 billion USD.
Even though iOS banking applications were found to do somewhat better than their Android counterparts, none was found to have an acceptable level of security.
Some of the risks found in these mobile banking applications are listed here.
Poor application coding
Mobile app developers do not always understand all the threats and most are not up to the task of securing mobile data, connections, and transactions. This can be seen on one the results of the evaluation, where it was found that everyone of the mobile banking apps studied contained some type of flaw in their code.
In some cases, the code of the application was not obfuscated, meaning it is clearly viewable. This allows anyone to reverse engineer an app, in order to identify weaknesses and find an attack surface. This can easily allow cyber criminals to analyze the complete code of the application. They can do this by just downloading the application from Google Play or the App Store, and then analyzing it.
This flaw also allows attackers to find encryption keys which can be used to find out your password and steal your money. In fact, this has already happened before. In 2016, cybercriminals reverse-engineered a Tesco Bank mobile app to identify vulnerabilities and stole millions of dollars from thousands of users overnight , all this without being detected.
Fake Banking Apps
Currently, studies have shown that there are a lot of fake banking apps being offered to users, some of which have been downloaded more than 500,000 times. You can confirm this just by searching for your own bank app in the PlayStore and finding out there are a lot of different versions of it. Cyber criminals have created very professional and look-alike banking apps to mimic those offered by financial institutions. Studies have already found that around 65,000 fake apps exist in app stores.
Malicious Mobile Apps
Hackers tend to target application security in banking information using banking Trojans, which are malicious programs that disguise themselves as other apps, such as games or tools. They work like this: when a user launches their legitimate banking app, this triggers the previously downloaded Trojan that has been lying dormant on their device. The Trojan then creates a fake version of the bank’s login page and overlays it on top of the legitimate app. This way, once the user enters their credentials into the fake login page created by the Trojan, this information is sent to the hacker. The Trojan will then pass the user to the real banking app login page so they don’t realize the application security has been compromised.
Deep linking is what allows us to navigate between or in applications, like hyperlinks in web pages. However, cyber criminals can easily use this type of flaw to steal your bank login details. A scammer can convince the victim to install a malicious app through social engineering or via phishing. Using this malicious application they can even use NFC to scan your cards or manipulate you into scanning your bank cards using the on-board camera. For users, it may seem like a regular banking transaction, but is actually the hacker who is receiving the data. In some cases, cyber criminals have even stolen fingerprints or face biometrics through these types of flaws, in order to gain access and steal bank accounts.
Secure coding standards
The evaluation also demonstrated that banks are failing to adhere to coding best practices. This not only results in exposing bank data, but furthermore in exposing customer data to different kinds of attacks. During the evaluation, it was found that 90% of banking apps don’t use secure coding and that their code can be easily hijacked by cyber criminals or malicious apps.
A possibility derived from this flaw is an attack called Cross-site Scripting (XSS), that can force a website to execute a code in the users’ browser. With this code the hacker has the ability to read, modify and transmit confidential data accessible by the browser. This vulnerability will allow any hacker to steal cookies, hijack sessions, open phishing sites, and download malware.
It was also found that 30% of the apps store user encryption keys in code which anybody with computer skills can see.
Even worse, 60% of the apps were found to have the logout function not properly coded, allowing session hijacking attacks.
In a session hijacking attack a hacker can also use the back button of the browser or the app to access the pages previously accessed by the victim. Apps without any web application security testing measures are susceptible to this attack. This vulnerability comes from an incomplete session expiry and happens when a banking app allows reuse of old session credentials.
There is also the risk of session fixation, which happens when a user’s session ID is forced to an explicit value and a hacker can exploit this to hijack the session. These types of attacks can definitely do a lot of damage to a bank reputation and hackers can steal confidential data, costing them millions.
Another risk found in these application security evaluations, was that 80% of the mobile banking apps analyzed allowed automatic screenshot captures. This can be the cause of having your card information and account balances leaked.
Furthermore, 90 % of the applications studied were found to allow Man-in The-Middle (MiTM) attacks due to flaws in SSL certificate validation. This kind of attack leads to allowing hackers accessing users’ sensitive data, as well as reading and tampering data transferred between the server and the application.
Application Data Storage
Besides not having proper application security in general, some banking applications were found storing data on the user’s device. Never deleting or encrypting data after finishing with its usage can also lead to leaking the users sensitive information. In some of the devices with the mobile banking applications evaluated, application security experts found card balance statements and even the user’s PIN code stored.
To be exact, in 43% of the applications tested for security application flaws, important data was found stored on the phone without any kind of encryption. This certainly creates serious flaws that cyber criminals can later exploit to gain access to bank accounts.
Server Side Flaws
Additionally, 60% of the mobile banking applications were found to have server-side flaws that hackers can exploit against users. An example of this is when an insufficient extension checking of uploaded files in mobile applications allows attackers to upload files with virus to the server. If a bank employee happened to open such a file, a virus could run and steal data directly from the server, for example.
Moreover, an attack known as a buffer overflow can occur. This happens when the data written in the memory exceeds the reserved buffer size, and during this type of attacks, a hacker can exploit the vulnerability to alter the flow of an application and redirect the program to execute malicious code.
In conclusion, the consumer population definitely needs to urge banks all around the world to do a better job on application security design, development and following security standards. The mobile banking applications flaws found in recent studies can result in the breach of sensitive financial and personal information. In most cases these flaws lead to fraud and what is worse, to the loss of hard earned money belonging to account holders, this was the case of Tesco Bank, one of the biggest British banks.
Today banks must recognize and respond to their customers’ concerns, providing positive mobile banking experiences that can achieve a balance between application security and convenience.
Most banks currently try to blame their fraud cases on their consumers, or in the fact that they did not purchase an insurance, not turning to look at the flaws in their mobile application security.
International Institute of Cyber Security (IICS) experts will always recommend that if you use mobile banking, make sure you only have trusted apps in your phone, especially since the results of the tested apps explained that in 87 percent of cases, user interaction is required for one of these flaws to be exploited.
Additionally, always make sure that your phone and your devices have the latest updates. Do not have them jailbroken or rooted, and, of course, never open any unknown links in your phone or device. The most important thing to keep our data secure is not relying only on application security, instead, users must remain informed and cyber conscious, using common sense at its best.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.