Getty ImagesA Mumbai-based cybersecurity researcher, who independently audited the mobile apps of some of India’s biggest banks, claims that several vulnerabilities with these apps were flagged off over the last few months.
According to the researcher, he disclosed these vulnerabilities to the banks directly, and since then they have taken steps to patch these in their latest updates. The researcher did not want to reveal his identity as he works closely with several banks and is not authorised to speak to media on these matters.
According to him, the problems ranged from issues in biometric authentication, incorrect session handling, embedding of authentication credentials, API security, to third-party risks like integration with WhatsApp.
ET could not independently verify these issues, but the CISO of a major bank says his organisation does receive such disclosures from security researchers and they try and issue patches for any verified vulnerability as soon as they can. “Modern banking is a work in progress,” he points out.
In case of biometric authentication, the security researcher highlighted problems pertaining to “use of incorrect libraries leading to the authentication itself being bypassed; and OEMs of mobile phones being able to capture data of their end-customers”.
The last few months have seen a surge in the number of banking apps leveraging in-built biometric authentication, which is convenient to the end-user as compared to punching in passwords. It is seen as an added security layer, provided configured correctly.
Another aspect where he found issues was in incorrect session handling where, “the inability of the mobile application to verify and authenticate the session and the associated user leads to a malicious user being able to perform financial transactions”. There were also issues with the embedding of authentication credentials, which could be easily discovered by those with malicious intent. Further problems were found in API security including, “inefficient, and at times, non-existent logging and monitoring mechanisms”.
The researcher says the integration of WhatsApp banking can also lead to private data being accessed by third parties.
“While the entire information is transacted over the end-to-end encrypted channel of WhatApp, all data, including the encrypted PDF like statements, etc, are stored on the public cloud of third-party service providers. Typically, data retention is done for 90 days before purging permanently or moving to a separate location. The risks are huge, from improper security configuration on the storage buckets to insider risks of data theft,” he claims.
According to the researcher, he disclosed these vulnerabilities to the banks directly, and since then they have taken steps to patch these in their latest updates. The researcher did not want to reveal his identity as he works closely with several banks and is not authorised to speak to media on these matters.
According to him, the problems ranged from issues in biometric authentication, incorrect session handling, embedding of authentication credentials, API security, to third-party risks like integration with WhatsApp.
ET could not independently verify these issues, but the CISO of a major bank says his organisation does receive such disclosures from security researchers and they try and issue patches for any verified vulnerability as soon as they can. “Modern banking is a work in progress,” he points out.
In case of biometric authentication, the security researcher highlighted problems pertaining to “use of incorrect libraries leading to the authentication itself being bypassed; and OEMs of mobile phones being able to capture data of their end-customers”.
The last few months have seen a surge in the number of banking apps leveraging in-built biometric authentication, which is convenient to the end-user as compared to punching in passwords. It is seen as an added security layer, provided configured correctly.
Another aspect where he found issues was in incorrect session handling where, “the inability of the mobile application to verify and authenticate the session and the associated user leads to a malicious user being able to perform financial transactions”. There were also issues with the embedding of authentication credentials, which could be easily discovered by those with malicious intent. Further problems were found in API security including, “inefficient, and at times, non-existent logging and monitoring mechanisms”.
The researcher says the integration of WhatsApp banking can also lead to private data being accessed by third parties.
“While the entire information is transacted over the end-to-end encrypted channel of WhatApp, all data, including the encrypted PDF like statements, etc, are stored on the public cloud of third-party service providers. Typically, data retention is done for 90 days before purging permanently or moving to a separate location. The risks are huge, from improper security configuration on the storage buckets to insider risks of data theft,” he claims.
(Catch all the Business News, Breaking News Budget 2024 News, Budget 2024 Live Coverage, Events and Latest News Updates on The Economic Times.)
...moreDownload The Economic Times News App to get Daily Market Updates & Live Business News.
Read More News on
(Catch all the Business News, Breaking News Budget 2024 News, Budget 2024 Live Coverage, Events and Latest News Updates on The Economic Times.)
...moreDownload The Economic Times News App to get Daily Market Updates & Live Business News.
