Today we’re looking at issues of information security, including a bombshell report describing serious flaws in banking and financial services apps, the kind of apps that need security the most. We’re also diving into a plague of facebook groups openly hawking credit card information and other sensitive or fraudulent materials in plain sight.
A new report from payment consulting firm Aite Group for the cybersecurity company Arxan has compiled a long list of security weak spots in several major financial mobile apps. With financial information being some of the most sensitive of all personal information, the report shows the industry-level problem of financial services and institutions not adopting security technology quick enough. Among the problems described in the report are lack of binary protections, unintended data leakage, insecure data storage, weak encryption, and insecure random-number generation.
The report, called “In Plain Sight: the Vulnerability Epidemic in Financial Mobile Apps” is making waves in financial and information security circles.The report examines the protective capabilities of thirty financial services apps found on the Google Play store. Using widely available software tools, they were able to reverse engineer almost all of the apps, showing a serious lack of protection.
Arxan listed the key findings, which were that 97 percent of all apps tested lacked binary code protection, making it possible to reverse engineer or decompile the apps exposing source code to analysis and tampering. 90 percent shared services with other applications on the device, leaving data from the financial institution’s app accessible to any other app on the device. 83 percent insecurely stored data outside the app’s control, like in the local file system, external storage, and copied data to the clipboard, allowing shared access with other apps and exposing a new attack surface through APIs. 80 percent implemented weak encryption algorithms or incorrect implementation of a strong cipher, allowing adversaries to decrypt sensitive data and manipulate or steal it as needed. 70 percent used an insecure random-number generator, a security measure that relies on random values to restrict access to a sensitive resource, making the values easily guessed and hackable.
Cybersecurity analyst and researcher behind the study, Alissa Knight told ZDNet:
“There’s clearly a systemic issue here – it’s not just one company, it’s 30 companies and it’s across multiple financial services verticals. It’s almost as if the developers who wrote the code didn’t realize that it’s possible to actually browse the directory structure of this mobile app and pull these files out, pull the keys out of subdirectories.”
According to the report, Several mobile banking apps hard-coded private certificates and API keys into their apps. Hackers could exploit this by copying the private certificates to their computers and running any number of free password-cracking programs against them. Should the hackers successfully crack the private key, they would be able to decrypt all communication between the back-end servers and mobile devices, among other things.The API keys allow an adversary to then begin targeting the financial institution’s API servers, gaining them access to data in the back-end databases.
What this basically means is that banks has made it hilariously easy to access servers. One directory they found was actually labeled “API keys.” API keys are like a private password used to track and control how the API is being used. The key is a unique identifier and authentication token, defining authorizations specific to the identity associated with it. In the hands of the wrong person, it can be used to authenticate a device with the back-end servers of the app. With the exposed source code of the app, hackers could modify URLs and change how the app behaves and where it sends data.
Knight didn’t name the companies or the apps to avoid people taking advantage of the vulnerabilities but did go into which categories had more problems. The report also shows the total number of vulnerabilities discovered across all app categories was 180. The financial institutions tested in the US represented 85 percent of the vulnerabilities while the ones in Europe represented 15 percent.
The three app categories with the highest number of critical vulnerabilities that can compromise the confidentiality, integrity, or availability of the user or financial institution were retail banking, retail brokerages, and auto insurance companies. The three app categories with the fewest critical vulnerabilities were Health Savings Account banks, health insurers tied with mobile payment apps, and credit card issuers. The app category with the most severe findings was auto insurance, as these apps contained the most number of hard-coded private keys, API keys, and API secrets in their code. Interestingly, the report found that the apps with the most security controls were the cryptocurrency category and that smaller companies had the most secure development hygiene while larger companies had the most vulnerable gaps.
According to Computerworld, Arxan’s research vice president, Aaron Lint said: “It’s no secret that the finance industry is a hot target because the payload is cold, hard cash. Virtually none of the apps tested in this research had app security measures in place that could even detect an app was being reverse-engineered, let alone actively defend against any malicious activity originating from code level tampering.”
The report recommended that financial institutions should adopt a comprehensive approach to application security, including app shielding, encryption, and threat analytics. They suggested their developers receive adequate secure programming training to develop apps that protect and detect against reverse engineering, malware, device cloning, code injection, keylogging, screen sharing, and many, many more threats.
In addition to minimizing risk by not naming any of the companies in the study, the Aite Group also decided not to tell any of the companies about the security holes in their apps. That’s because people who act on their own to find these security flaws are examining sites or apps without the company’s permission. This can lead to debilitating lawsuits or blacklisting within the cybersecurity industry.
The sloppy security behind many of the apps is a gift to cybercriminals, who have been thriving in online groups on facebook. In our next story, researchers at Cisco’s Talos security division uncovered 74 facebook groups devoted to selling stolen credit card information, identities, spam lists, hacking tools, and more. The weirdest part is how they’re operating in plain sight. Facebook groups with names like “Legends of Hack,” “Spam professional,” “Facebook hack phishing,” and “spammers family” have allowed people from all over the world to congregate and share sensitive information.
In a blog post last Friday, Talos researchers posted photos and other information about the operations of these groups they’ve been tracking over several months. They found the activities of these accounts ranged from shady to downright illegal. Despite the names being a dead give away, some of these groups have remained on Facebook for up to eight years.
According to the post, “In all, Talos has compiled a list of 74 groups on Facebook whose members promised to carry out an array of questionable cyber dirty deeds, including the selling and trading of stolen bank/credit card information, the theft, and sale of account credentials from a variety of sites, and email spamming tools and services. In total, these groups had approximately 385 members.”
Talos tried to get some of the groups removed by reporting them through Facebook’s abuse reporting function. Some groups were removed immediately, while other groups only had individual posts removed. After contacting Facebook’s security team, many of the malicious groups were taken down, but new groups started appearing. The Talos team discovered several posts of people selling credit card numbers and their CVVs, sometimes with the photos of the victims or their identification documents.
Group members offered access to massive email lists, forged documents, and assistance moving large amounts of cash among other illegal activities. Many of the sellers asked for payment in cryptocurrencies, others used middlemen as go-betweens who would take a cut. The success rate and legitimacy of the users are hard to measure, but there are often complaints posted by members who have been scammed by other members.
One of the examples Talos used was an offer of spamming services, using an Apple-themed phish that could avoid spam folders of Hotmail and Yahoo. The email included a PDF invoice with links to view or cancel the order, but the links direct to a phishing site that looks like an apple website. The IP address used to host the site is also used to host many other suspicious domain names likely used for similar scams.
In a statement to Wired, a Facebook spokesperson wrote:
“These Groups violated our policies against spam and financial fraud and we removed them. We know we need to be more vigilant and we’re investing heavily to fight this type of activity.”
They noted that most of the groups were created last year and that some of the users associated with the groups have been banned, with measures taken to prevent them from creating new groups.
Cisco Talos researcher Craig Williams told Wired that the fix is tightening moderation and for users and auditors to hold Facebook accountable. “This requires a collective effort—from Facebook, from users, and potentially from security companies like us—to keep these actors off social media sites,” he says. “It’s going to require constant vigilance.”
The researchers concluded that social media’s flaws include underlying algorithms that can’t distinguish benign activities from unethical and illegal ones. Many scammers operating within these groups largely do so with impunity. To work against these individuals and groups, Talos suggests social media platforms ought to continue manual and automated efforts at identifying and removing malicious groups. They believe security teams and vendors should work together to share information among themselves and with customers. They also think consumers should be as skeptical and informed as possible, as spam attacks prey on individuals as entry points.