Half of mobile banks are vulnerable to fraud and theft of funds due to inadequate security on apps, according to a study by Positive Technologies. The analysis found that mobile banking applications have a raft of security flaws which can be exploited by cyber-criminals to access sensitive data and commit fraud.
Positive Technologies said that none of the 14 mobile banking applications tested had an acceptable level of security. In regard to the applications installed by clients, 43% were shown to store important information on the phone in clear text, making the data at risk of being accessed by an unauthorized party. In addition, 76% of the vulnerabilities can be exploited without physical access to the device and over one-third can be exploited without administrator rights.
Each mobile bank analyzed had an average of 23 vulnerabilities on the server side, which contained 54% of all the vulnerabilities found. Close to half (43%) had server-side vulnerabilities in business logic, which attackers can use to access sensitive user information and commit fraud. The report also stated that hackers can steal user credentials in five out of seven mobile banks while card information is at risk in one-third.
There were also variations in the types of security flaws between iOS and android apps; in iOS, no flaws were rated above ‘medium,’ whereas in android, 29% were ‘high risk.’
Olga Zinenko, analyst at Positive Technologies, commented: “Banks are not protected from reverse engineering of their mobile apps. Moreover, they give short shrift to source code protection, store sensitive data on mobile devices in clear text and make errors allowing hackers to bypass authentication and authorization mechanisms and bruteforce user credentials. Through these vulnerabilities, hackers can obtain usernames, account balances, transfer confirmations, card limits and the phone number associated with a victim’s card.
“We urge that banks do a better job of emphasizing application security throughout both design and development. Source code is rife with issues, making it vital to revisit development approaches by implementing SSDL practices and ensuring security at all stages of the application lifecycle.”