Vulnerabilities found and fixed in banking apps: Cybersecurity researcher

According to the researcher, the problems included issues in biometric authentication, incorrect session handling, embedding of authentication credentials, API security and third-party risks like integration with WhatsApp.

A Mumbai-based cybersecurity researcher, who independently audited the mobile apps of some of India’s biggest banks, claims that several vulnerabilities with these apps were flagged off over the last few months.

According to the researcher, he disclosed these vulnerabilities to the banks directly, and since then they have taken steps to patch these in their latest updates. The researcher did not want to reveal his identity as he works closely with several banks and is not authorised to speak to media on these matters.

According to him, the problems ranged from issues in biometric authentication, incorrect session handling, embedding of authentication credentials, API security, to third-party risks like integration with WhatsApp.


ET could not independently verify these issues, but the CISO of a major bank says his organisation does receive such disclosures from security researchers and they try and issue patches for any verified vulnerability as soon as they can. “Modern banking is a work in progress,” he points out.

In case of biometric authentication, the security researcher highlighted problems pertaining to “use of incorrect libraries leading to the authentication itself being bypassed; and OEMs of mobile phones being able to capture data of their end-customers”.

The last few months have seen a surge in the number of banking apps leveraging in-built biometric authentication, which is convenient to the end-user as compared to punching in passwords. It is seen as an added security layer, provided configured correctly.
ADVERTISEMENT

Another aspect where he found issues was in incorrect session handling where, “the inability of the mobile application to verify and authenticate the session and the associated user leads to a malicious user being able to perform financial transactions”. There were also issues with the embedding of authentication credentials, which could be easily discovered by those with malicious intent. Further problems were found in API security including, “inefficient, and at times, non-existent logging and monitoring mechanisms”.

The researcher says the integration of WhatsApp banking can also lead to private data being accessed by third parties.

“While the entire information is transacted over the end-to-end encrypted channel of WhatApp, all data, including the encrypted PDF like statements, etc, are stored on the public cloud of third-party service providers. Typically, data retention is done for 90 days before purging permanently or moving to a separate location. The risks are huge, from improper security configuration on the storage buckets to insider risks of data theft,” he claims.

READ MORE
ADVERTISEMENT

READ MORE:

LOGIN & CLAIM

50 TIMESPOINTS

More from our Partners

Loading next story
Text Size:AAA
Success
This article has been saved

*

+