18% of Banks Disclose Client Data Over the Phone
Digital Security, a company specializing in IT system security analysis, has released the results of a new study on the security of mobile applications for iOS and Android from 16 leading Russian banks. The research was conducted by analysts Egor Saltykov and Viktor Vukolov. The main goal of this large-scale project, in addition to identifying weaknesses in client-side software, was to examine how banks interact with mobile network operators.
For their analysis, Digital Security experts selected materials based on the most downloaded banking apps in the “Finance” section of the App Store and Google Play, as well as the “Top 100 Russian Banks” list (according to banki.ru as of November 2017). The final list included 16 banking apps, and the list of mobile operators was limited to the “big four.” The focus of the research was on deepening the checks and analyzing the interaction between banks.
During the study, Digital Security experts found that 18% of banks allow confidential client data to be disclosed over the phone, including account balances and transaction information. This could potentially lead to theft of funds and other negative consequences.
In 62% of the banks reviewed, the call center trusts the phone number from which the call is made, making it possible to obtain private data by knowing only the victim’s phone number. Of all the mobile banking clients examined, 18% lack two-factor authentication for logging in on both platforms (iOS and Android), and 68% of banks allow funds to be withdrawn from client accounts after a SIM card is replaced. Exploiting these and other vulnerabilities, attackers can steal money from client accounts.
Additionally, most apps store and potentially expose users’ private information. More than half of the iOS mobile banking clients studied save critical data in memory, and in 6 out of 16 Android apps, the password remains in memory after the session ends.
Furthermore, the reviewed tools can reveal the user’s location (7 out of 16 on iOS; 4 out of 16 on Android), which could also be used by attackers during an attack. Interestingly, 3 out of 16 apps for both iOS and Android lack two-factor authentication, even though this security requirement has been a standard for banking mobile clients for years.
Based on these findings and other data from the study, it is clear that leading Russian banks still have vulnerabilities in protecting client data. You can read the full research report at: https://dsec.ru/research/analiz-bezopasnosti-mobilnyh-bankovskih-prilozhenij-i-vzaimodejstviya-s-sotovymi-operatorami/