Mobile banking apps vulnerable to cyber attack, report says
INCREASING numbers of fake SSL certificates are compromising the security of mobile banking apps, a report released by Netcraft revealed this week.
The internet analysis organisation claims to have found 'dozens' of certificates fraudulently impersonating banks and social networking sites.
The fake certificates could allow criminals to steal online banking log in details without users even noticing, Netcraft say.
There is still some way to go before most mobile devices achieve similar levels of security to that of desktop computers, Martin Baldock, managing director of Stroz Friedberg, an investigations, intelligence and risk management company, told us.
Previous research has found that almost half of mobile banking apps could be vulnerable to cyber attack.
Capturing consumer data
Netcraft's research suggests that cyber criminals could use a man-in-the-middle approach to break into online banking apps.
Fake SSL certificates could allow them to intercept online traffic and, for example, change code to create fake login prompts.
A successful attack would decrypt legitimate online banking traffic and then re-encrypting it and forward it on to the bank.
Such an attack would leave both the consumer and the bank unaware that the attacker had captured the customer's authentication credentials.
Criminals could also use this method to manipulate the amount or recipient of a money transfer, Netcraft say.
A 'significant' threat
SSL Certificates are tiny data files created to be used to digitally bind a cryptographic key to an organisation's details.
The SSL Certificate is validated by a third party - a Certificate Authority (CA) - that identifies one end or both ends of the transaction. Once installed on a server, the certificate activates the little padlock and https protocol.
Although fake SSL Certificates won't be validated by mainstream browsers (they're not signed by a legitimate certificate authority), that doesn't mean to say that they don't still pose a significant threat.
The problem is that an ever increasing amount of online banking traffic is being generated by non-browser software like apps.
These, according to Paul Mutton, Netcraft's online security expert, often "fail to adequately check the validity of SSL certificates".
In January this year, computer security firm IO Active tested 40 iOS-based banking apps from around the world and found that 40% failed to validate the authenticity of SSL certificates presented by the server.
Similar tests carried out at Leibniz University of Hannover and Philipps University of Marburg in Germany found that 41% of selected Android apps were found to be vulnerable.
Android apps more susceptible
While both operating systems might appear to be equally susceptible to attack, the chief executive of Russian anti-virus software maker Kaspersky Lab, Eugene Kaspersky, insists that Android banking apps are more vulnerable to cyber crime than iOS apps.
"99% of mobile attacks are towards Android-based phones, since Apple has strict controls and does not allow third party applications," he says.
Regardless of which smartphone one might use, however, the fact of the matter is that cyber criminals are increasingly becoming able to focus their energy on attacking mobile devices.
Vulnerabilities are an open door, one which criminals are highly likely to push at.
Netcraft and other security researchers are aiming to raise awareness of the security vulnerabilities of banking apps.
But what can consumers do once they're aware that mobile banking might be unsafe?
We spoke to Martin Baldock of Stroz Friedberg, who acknowledged that the easiest way to spot a safe site on a desktop computer - the familiar internet browsing padlock symbol (more here) - has not yet found its way into mainstream apps.
"Until similar visual cues become widely available on smartphones and tablets, users should avoid downloading from third party sites or apps with few downloads or low ratings from the App Store and Google Play," Mr Baldock said.
"There is no silver bullet to mobile security, which means a tiered approach is required," he added.
"This is likely to include restricted use of public wi-fi hotspots, regular updating of operating systems and apps, as well as stronger passwords and the use of lock screen passcodes."
We also spoke to Netcraft's Paul Mutton who stressed that there is very little that the average mobile banking app user can do to verify an app's security.
"Unlike in a browser, it is ordinarily impossible to see whether an app is transmitting your data securely (or even to the correct location!)," he told us.
If consumers do decide to use an app, Mutton recommends the following precautions:
- Seek assurance from the bank that the app has undergone rigorous security testing from a reputable third party.
- Avoid using banking apps from rooted phones (i.e. phones that have been modified get around any restrictions that the manufacturer or carrier has applied), as this could allow malware to access banking data.
- Those that are unsure of the security of a banking app should certainly never use it over an untrusted network such as a public free wi-fi zone. If the app is vulnerable, this is the easiest scenario in which an attacker could intercept and decrypt passwords and other sensitive data.