A recent study by Positive Technologies revealed that over 50% of mobile banking applications are vulnerable to fraud and data theft due to inadequate security layers. The analysis “Vulnerabilities and threats in Mobile Banking” found that banking apps have several security flaws which can be easily exploited to compromise the app and access sensitive data or commit banking fraud.
The Investigation
Security experts at Positive Technologies investigated 14 banking apps and discovered that 13 apps failed to prevent unauthorized access to user data. The researchers stated that all the 14 apps have coding errors and security flaws and 76% of vulnerabilities can be exploited without physical access to the device. The flaws can allow attackers to perform brute-force attacks, man-in-the-middle schemes, distribution of malware like banking Trojans, etc., according to the report.
Client/Server-Side Vulnerabilities
According to the study, 3% of apps running on Android devices are vulnerable to high client-side attack risks, 40% posed medium threats, and 57% have low risks. Apps running on iOS devices (37%) posed medium risks and 63% had a low risk of client-side attacks. It also found that the majority of flaws were generated from the app’s source code originated from deep linking technology.
“Deep linking is used differently on iOS and Android: Developers on Android have more freedom of implementation. This explains the larger number of vulnerabilities in Android applications compared to iOS,” the report said.
The study also pointed out that 50% of the apps contained high-risk, server-side vulnerabilities related to insufficient authentication errors.
“More than half of mobile banks contain high-risk server-side vulnerabilities – for example, insufficient authentication/authorization, password brute-force, business logic errors. Unauthorized access to applications usually results from authentication and authorization flaws,” the report added.
Fake Banking Apps and Trojans
Recently, the FBI issued a warning about threat actors targeting users with fake banking apps to compromise bank accounts, as more people are using online banking during the Coronavirus pandemic. In an official statement, the FBI stated that online and mobile banking apps witnessed a 50% surge in usage since the beginning of 2020. It is expected that cybercriminals would try to abuse new mobile banking customers through app-based banking trojans and fake banking apps. The FBI advised the public to be cautious while downloading banking apps, as hackers spread fake apps concealing malicious intent in them.
