Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Tuesday April 09 2019, @11:11PM   Printer-friendly
from the slow-adoption-means-learning-from-others'-misteaks....hahahahahaha! dept.

Submitted via IRC for Bytram

Massive bank app security holes: You might want to go back to that money under the mattress tactic

A new report[$]. from a well-regarded payments consulting firm has found a lengthy list of security insanity while examining several major fintech company mobile apps. Although the very nature of apps that manage and move money would suggest presumably strong security, banks and their cohorts tend to adopt new technology slower than almost any other vertical, which puts them in a bad place when it comes to security.

My favorite finding from the Aite Group report: "Several mobile banking apps hard-coded private certificates and API keys into their apps. [Thieves] could exploit this by copying the private certificates to their computers and running any number of free password-cracking programs against them," the report noted. "Should the [attackers] successfully crack the private key, they would be able to decrypt all communication between the back-end servers and mobile devices, among other things. The API keys allow an adversary to then begin targeting the [financial institution's] API servers, gaining them access to data in the back-end databases. This allows [attackers] to authenticate the device with the back-end servers of that app, since this is what APIs use for authentication and authorization."

In other words, these banks have made the attackers' jobs far easier. "One of the directories was actually called 'API Keys,'" said Alissa Knight, the senior analyst with Aite Group's cybersecurity practice who did the research for the report. "My coffee didn't even get cold while I was on that list" trying to find vulnerabilities.

Some other especially scary points made in the Aite report:

  • "Many of the apps contained hard-coded SQL statements that gave adversaries the ability to employ SQL injection attacks, such as modifying an existing SQL query or inserting a new SQL query in a man-in-the-middle attack that allows them to download all of the data in the database, delete data, or modify it."
  • "Ninety-seven percent of the apps tested suffered from a lack of binary protection, making it possible to decompile the apps and review the source code. Additionally, all of the FI apps tested failed to implement application security that would have obfuscated the source code of the apps, making it possible to decompile them. This provided all of the sensitive API URLs, API keys, and API secrets hard-coded into the apps, and some of the URLs included nonstandard port numbers and development servers used by developers for testing and QA, which were reachable at the time of the testing. By decompiling the binaries, it was also possible to discover several private keys hard-coded into their files and located in subdirectories of the app, making it possible to crack the private key passwords offline."
  • "Additional findings included the ability to execute client-side code in an app's WebView; raw SQL queries embedded in the source code, yielding database schema information and the ability to perform SQL injection; the creation and storage of sensitive data into temp files on the mobile device or clipboard memory; and hard-coded public and private keys. Decompiling the binary into its raw source code gives adversaries the ability to inject malware and repackage the app as a rogue/pirated app hosted in a third-party app market, such as TweakBox, Aptoide, and TutuApp, or send it to victims via smishing (SMS phishing). Decompiling the app also allows an adversary to understand how the app detects jailbroken mobile devices, which, once vulnerabilities (such as API keys, private keys, and credentials) are found in the source code, results in theft of money through banking trojans, username/password theft or account takeover using overlay screens, and the theft of confidential data."
  • "About 80 percent of the apps tested implemented weak encryption algorithms or the incorrect implementation of a strong cipher, allowing adversaries to decrypt sensitive data and manipulate or steal it as needed."
  • "About 70 percent of the apps use an insecure random-number generator, a security measure that relies on random values to restrict access to a sensitive resource, making the values easily guessed and hackable."

Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday April 10 2019, @07:27AM (8 children)

    by Anonymous Coward on Wednesday April 10 2019, @07:27AM (#827339)

    Stealing hundreds of thousands or even millions from others is "trumped up bullshit?"

    From a banker or a financial industry dweeb, yeah, it's trumped up bullshit! They will hardly know it's missing, and besides, fuck them! We're taking our money back from thieves!

    Quoting the law is a waste. Plenty of innocents locked up in Alabama too. The law is bullshit for them. If they want me they will take me, even if I do nothing at all. May as well make it count.

    You're not inane, you're just banal, boring... and clutching pearls for the rich man.

  • (Score: 0) by Anonymous Coward on Wednesday April 10 2019, @08:11AM (7 children)

    by Anonymous Coward on Wednesday April 10 2019, @08:11AM (#827354)

    ... and clutching pearls for the rich man.

    Nope. I just believe in the rule of law [wikipedia.org].

    Pieces of shit like you with no principles or scruples make me want to hurl.

    • (Score: 0) by Anonymous Coward on Wednesday April 10 2019, @06:24PM (1 child)

      by Anonymous Coward on Wednesday April 10 2019, @06:24PM (#827556)

      you're a bootlicking whore. you probably fund the federal government too, don't you bitch?

      • (Score: 0) by Anonymous Coward on Wednesday April 10 2019, @10:22PM

        by Anonymous Coward on Wednesday April 10 2019, @10:22PM (#827647)

        Do you kiss your mother with that mouth?

        Or is it reserved for the cocks of other sociopathic morons like you?

        In fact, you've got a little jizz at the corner of your mouth right now. Lick it up. You don't want to waste it!

    • (Score: 0) by Anonymous Coward on Wednesday April 10 2019, @10:29PM (4 children)

      by Anonymous Coward on Wednesday April 10 2019, @10:29PM (#827653)

      make me want to hurl.

      Oh! Please do! Be sure to roll camera and upload the vid.

      You're such a dweeb! Reelecting crooks, invading sovereign countries and killing their leaders only because you can, locking innocents in prison only because you can, and complaining about me. Very funny! But I'm not wasting my points on you. More mockery is all you deserve!

      • (Score: 0) by Anonymous Coward on Wednesday April 10 2019, @11:37PM (3 children)

        by Anonymous Coward on Wednesday April 10 2019, @11:37PM (#827686)

        Kissy Kissy, baby!

        And by the way, you really need to work on your "mockery." You're really not very good at it.

        Is that a genetic thing or were you repeatedly dropped on your head as a child, or both?

        Toodles!

        • (Score: 0) by Anonymous Coward on Thursday April 11 2019, @01:16AM (2 children)

          by Anonymous Coward on Thursday April 11 2019, @01:16AM (#827707)

          OY! Thank god! now we don't have to hear all that redneck shit!

          "Eewww! He's a felon!" - such a pathetic moron!

          • (Score: 0) by Anonymous Coward on Thursday April 11 2019, @05:04AM (1 child)

            by Anonymous Coward on Thursday April 11 2019, @05:04AM (#827769)

            Don't forget what happened to Duke [wikipedia.org].

            And I'm sure there's an 8x8 box somewhere with your name on it, champ!

            • (Score: 0) by Anonymous Coward on Thursday April 11 2019, @08:36PM

              by Anonymous Coward on Thursday April 11 2019, @08:36PM (#828240)

              Heh, Don't you forget what happened to the cop... Probably didn't hurt as much...

              I'm just waitin' for my ride... You're free to go