Testing finds ‘100 percent’ of mobile banking apps hackable
Mobile banking applications produced by 50 of the world’s largest 100 banks were all vulnerable to hacking attacks which could allow password capture or surveillance of users, according to new research from a European mobile security outfit.
“We didn’t initially plan to publish the results of our tests,” Caroline Borriello, chief operating officer of Paris-based Pradeo Security Systems told CyberScoop in an interview. “We chose to make this disclosure because we believe it’s important for people to know” how insecure mobile banking apps actually are.
Despite that, the company is not disclosing the names of the vulnerable apps or the banks whose products they tested.
“We don’t want to finger-point,” she said, especially given the 100 percent failure rate. “They are all vulnerable,” she said.
Nor is the company discussing the exact nature of the penetration testing it conducted at its laboratory between Nov. 15 last year and Jan. 31, Borriello said.
“We have to be very cautious about revealing the ‘how,'” she said. “We don’t want to make it easier for malicious people to do malicious things.”
“The vulnerabilities we found on these apps could be used to steal passwords or spy on users, so we must be careful.”
Borriello said the company’s red team of penetration testers used 22 techniques “sometimes combining more than one,” of varying degrees of sophistication. “It’s not automated,” she said, “It’s done by people.”
Some apps were vulnerable to relatively simple exploits, others required more sophisticated techniques, but whatever the case, “with every single app, we succeeded” in finding exploitable vulnerabilities, the company said. The techniques were generally “common mobile threats,” she said, “easily accessible for someone who knows where to look.”
“Importantly,” she added, “We did not break in” to the apps. Researchers merely ascertained that they were vulnerable.
Subsequently, the company reached out to CyberScoop again to underline that point and stress that their work “in no way consisted of unauthorized access to, or obstruction or falsification of computer systems or automated data processing” and “produced absolutely no introduction, possession, extraction, reproduction, deletion or transmission” of data.
Pradeo began by testing the mobile app of a single bank — a sales prospect for the company which sells application security technology and services, Borriello said. “That was how we started.”
After quickly finding it vulnerable, they decided to try out some others, as well. When the company realized that “every app we found was failing,” she said, they decided to expand the testing to half of the top 100 banks globally and to publicize the results.
“Even as security specialists [who deal with this all the time] we were quite surprised” by the 100 percent failure rate, she said. It’s the first time the company — which was founded in 2010 by Clément Saad, an information security specialist from the French Ministry of Defense — has published any results of its vulnerability testing, she added.
The banks were chosen “to be a meaningfully representative sample in terms of geographic location” and other factors like size, she said.
“We are in process of contacting the banks whose products we tested. We are already in touch with some,” she said, adding they shouldn’t be seen as culpable.
“The mobile revolution was so disruptive, and moved so fast, you cannot blame the banks” for the porous character of the security on their apps.
She said users, who had what she called a “security reflex,” when it came to computers, lacked that same instinct with smartphones.
Even a relatively non-technical user “wouldn’t buy a computer and connect it to the Internet without some kind of security software installed,” she said. “That’s the security reflex … But people do that with smartphones all the time. We don’t yet have that reflex in the mobile environment.”
This story has been updated with additional comment from Pradeo, and the date of the firm’s foundation has been corrected.