Research conducted by Positive Technologies stated that owing to inadequate security on apps, many online banks are endangered with fraud and theft of funds. The study revealed that mobile bank applications are prone to security flaws, taking advantage of which cybercriminals can access sensitive data and commit fraud.
Out of the 14 mobile banking applications tested by Positive Technologies, none of them had an acceptable level of security. Concerning customer-installed apps, it was found that 43% stored important information on the phone in plain text was at risk of unauthorized access by a party. Moreover, 76% of the vulnerabilities can be exploited without physical access to the device, and more than one-third can be operated without the rights of administrators.
On the server-side, each examined mobile bank had an average of 23 vulnerabilities, which included 54% of all the vulnerabilities identified. Out of which, about 43% faced server-side vulnerabilities related to business logic, which attackers can exploit to gain sensitive user information and commit fraud. The other concerns stated in the report revealed that about one-third of the card information is at risk, while hackers can steal user credentials in five out of seven mobile banks.
Differences in the types of security flaws between iOS and Android apps were observed. Relating to which no defects were classified above ‘medium’ in iOS, while 29% were ‘high risk’ in android.
Olga Zinenko, Analyst at Positive Technologies, commented, “Banks are not protected from reverse engineering of their mobile apps. Moreover, they give short shrift to source code protection, store sensitive data on mobile devices in clear text, and make errors allowing hackers to bypass authentication and authorization mechanisms and brute force user credentials. Through these vulnerabilities, hackers can obtain usernames, account balances, transfer confirmations, card limits, and the phone number associated with a victim’s card.
“We urge that banks do a better job of emphasizing application security throughout both design and development. Source code is rife with issues, making it vital to revisit development approaches by implementing SSDL practices and ensuring security at all stages of the application lifecycle.”
Just recently, the FBI warned that cyber-criminals are seeking to take advantage of the growing use of mobile banking apps during COVID-19.