Massive bank app security holes: You might want to go back to that money under the mattress tactic

Credit to Author: Evan Schuman| Date: Fri, 05 Apr 2019 10:24:00 -0700

A new report from a well-regarded payments consulting firm has found a lengthy list of security insanity while examining several major fintech company mobile apps. Although the very nature of apps that manage and move money would suggest presumably strong security, banks and their cohorts tend to adopt new technology slower than almost any other vertical, which puts them in a bad place when it comes to security.

My favorite finding from the Aite Group report: “Several mobile banking apps hard-coded private certificates and API keys into their apps. [Thieves] could exploit this by copying the private certificates to their computers and running any number of free password-cracking programs against them,” the report noted. “Should the [attackers] successfully crack the private key, they would be able to decrypt all communication between the back-end servers and mobile devices, among other things. The API keys allow an adversary to then begin targeting the [financial institution’s] API servers, gaining them access to data in the back-end databases. This allows [attackers] to authenticate the device with the back-end servers of that app, since this is what APIs use for authentication and authorization.”

In other words, these banks have made the attackers’ jobs far easier. “One of the directories was actually called ‘API Keys,'” said Alissa Knight, the senior analyst with Aite Group’s cybersecurity practice who did the research for the report. “My coffee didn’t even get cold while I was on that list” trying to find vulnerabilities.

Some other especially scary points made in the Aite report:

In terms of the mobile apps she examined, Knight said many procedures were simply sloppy. Cyberthieves love sloppy. “Everything in the app was being logged and it had some very verbose logging. A gratuitous amount,” Knight said in a Computerworld interview. “A lot wasn’t being done in sandboxes and was stored directly on the mobile device.”

Aaron Lint is the chief scientist and research vice president for Arxan, which underwrote the Aite research. “It’s no secret that the finance industry is a hot target because the payload is cold, hard cash,” Lint said. “Virtually none of the apps tested in this research had app security measures in place that could even detect an app was being reverse-engineered, let alone actively defend against any malicious activity originating from code level tampering.”

Lint referred to the API leakage as “a blueprint of how to deal with the app.”

Making the API keys so easy to find is certainly a courtesy that will be much appreciated in the dark web, although likely less so by the financial institution’s customers. That said, those customers will be unable to do anything about this — such as switching banks — because Aite declined to identify which companies they looked at.

They did email Computerworld some descriptions of the companies profiled — there were 30 companies examined in eight categories: retail banking apps (four companies examined); credit card issuers (3); mobile payment apps (3); healthcare savings accounts apps (3); retail brokerage accounts (5); health insurers (4); auto insurance (4); and crypto-currency companies (4). Aite also released how many were publicly-traded (most were) and gave a hint about company-size by saying how many employees each company had (that number ranged from 250,000 employees for one of the retail banking app companies to 50 employees for one of the crypto-currency companies.

Even more troubling, Aite said, it chose to not tell any of the companies examined that it found major security holes on their sites. This is regrettable, but understandable. It’s a fear — ranging from litigation to being blackballed in the industry — that pen testers have these days about examining sites or apps without the company’s permission. Given that Aite has to work with these companies, it makes sense that it wouldn’t want to flag these companies that they have issues.

In a Utopian world, companies would be ecstatic to be informed about issues on their site/app before cyberthieves found them, but that’s not how the world works, especially in the U.S. Hint to FI companies: Hire a pen tester today to check out your site and apps. Some of you have massive issues.

http://www.computerworld.com/category/security/index.rss