Hacked banking apps

Researchers reveal vulnerabilities in 31 mobile online banking apps

Online banking on the smartphone: comfortable, but risky. © Andrey Popov / thinkstock
Read out

Not sure: 31 apps for online banking have serious security holes, including programs of the Sparkasse, the Volksbanken and Raiffeisenbanken and Commerzbank. Through a hacking attack, German computer scientists have managed to disable the security software of these apps and manipulate transaction processes. Updates to the banking apps should close this vulnerability in the next few days.

In the age of smartphones and tablets, more and more people are taking advantage of the opportunity to do their banking online as well as on the move. Most banks now offer special apps that make online banking easy and secure. Often this app is combined with a second application, the TAN app. It requests the transaction number (TAN) from the bank in encrypted form and then forwards it to the banking app.

Safety barriers bypassed

But as Vincent Haupert and Nicolas Schneider of the University of Erlangen-Nuremberg now reveal, this method has significant security gaps. They have written a program that completely deactivates the security measures in 31 financial apps worldwide, including the Sparkasse, the Volksbanken and Raiffeisenbanken and Commerzbank.

"We can use it to copy apps, change the IBAN and send TANs to any device, " says Schneider. It would make it possible for criminal hackers to manipulate transfers so that the money goes unnoticed to their own accounts. The encryption of sensitive customer data can be overridden, the researchers said. Although they initially simulated the attack only for the Android operating system, it was also possible on iOS devices.

Security software as a point of attack

The point of attack for this hacking is a security software that is used by numerous financial service providers worldwide: the Promon SHIELD. This software is designed to prevent banking on compromised devices and interacts with the TAN app. If this is manipulated, Promon locks all transactions. Conversely, the TAN app will not work if the security software is not installed. display

But Haupert and Schneider have now succeeded in shutting off Promon SHIELD after detailed analysis. Although the deactivation of the security mechanisms is not easy and tedious, but for savvy hackers quite feasible, they report. Among other things, the team managed to send TAN numbers to any devices and to redirect transfers.

Updates in progress

The banks and also Promon have already begun to protect their programs against such an attack. The German banking industry, like the providers of the apps, is in direct dialogue with the University of Erlangen-N rnberg in order to be able to better assess the weak points and initiate a rapid remedy, ie Do it in a statement. For a number of banking apps should come out in the next few days, a corresponding update.

According to Promon, no criminal hacker has yet exploited these vulnerabilities. Also, the Association of the German banking industry reported that he was still no such technical attacks against banking apps and the resulting damage cases known.

Risk through banking and TAN on a device

However, according to the N rnberg computer scientists, the operation of both the banking app and the TAN app on just one device is fundamentally uncertain. In recent years, researchers have repeatedly successfully manipulated various PushTAN and PhotoTAN procedures in a way that allowed them to redirect bookings with altered amounts to foreign accounts without the user being aware of it.

"Most banks have dismissed our attacks as an academic lab experiment, " says Vincent Haupert. "But we see the abandonment of the so-called two-factor authentication, in which the TAN is generated on a separate device, as a conceptual weakness of mobile banking. Even the most sophisticated security programs will not change that. "

Haupert recommends people who do not want to give up mobile banking to use a TAN generator as in the ChipTAN process.

(Friedrich-Alexander-University Erlangen-N rnberg, 27.11.2017 - NPO)