Widespread Security Vulnerabilities in Mobile Banking Apps

Widespread Security Vulnerabilities in Mobile Banking Apps

Originally Published on this site

Widespread Security Vulnerabilities in Mobile Banking Apps

Widespread Security Vulnerabilities in Mobile Banking Apps 1

Half of mobile banks are vulnerable to fraud and theft of funds due to inadequate security on apps, according to a study by Positive Technologies. The analysis found that mobile banking applications have a raft of security flaws which can be exploited by cyber-criminals to access sensitive data and commit fraud.

Positive Technologies said that none of the 14 mobile banking applications tested had an acceptable level of security. In regard to the applications installed by clients, 43% were shown to store important information on the phone in clear text, making the data at risk of being accessed by an unauthorized party. In addition, 76% of the vulnerabilities can be exploited without physical access to the device and over one-third can be exploited without administrator rights.

Each mobile bank analyzed had an average of 23 vulnerabilities on the server side, which contained 54% of all the vulnerabilities found. Close to half (43%) had server-side vulnerabilities in business logic, which attackers can use to access sensitive user information and commit fraud. The report also stated that hackers can steal user credentials in five out of seven mobile banks while card information is at risk in one-third.

There were also variations in the types of security flaws between iOS and android apps; in iOS, no flaws were rated above ‘medium,’ whereas in android, 29% were ‘high risk.’

Olga Zinenko, analyst at Positive Technologies, commented: “Banks are not protected from reverse engineering of their mobile apps. Moreover, they give short shrift to source code protection, store sensitive data on mobile devices in clear text and make errors allowing hackers to bypass authentication and authorization mechanisms and bruteforce user credentials. Through these vulnerabilities, hackers can obtain usernames, account balances, transfer confirmations, card limits and the phone number associated with a victim’s card.

“We urge that banks do a better job of emphasizing application security throughout both design and development. Source code is rife with issues, making it vital to revisit development approaches by implementing SSDL practices and ensuring security at all stages of the application lifecycle.”

Just last week, the FBI warned that cyber-criminals are seeking to take advantage of the growing use of mobile banking apps during COVID-19.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Vox Messenger Logo - 512x512

End-2-End Encrypted. Secure. Ad-Free.
Lightweight and Faster than the Competition.

Vox Messenger is an ad-free, secure and end-2-end encrypted alternative to other popular chat messenger apps.

Available for Free. Whitelabel Corporate Edition Available on Request.

Vox Messenger {Secure} - Communicate safely with our private and secure messaging app | Product Hunt Embed

All Rights Reserved - © Copyright 2020 - Vox Messenger (a Division of Kryotech Ltd.)