(In)Security of Mobile Banking

Presented at Black Hat Asia 2015, Unknown date/time (Unknown duration)

Mobile banking is about to become the de facto standard for banking activities. Banking apps on smartphones and tablets - are becoming more widespread and this evolution aims at strongly limiting the classical access to banks (physical, through PC browser, through ATM). The aim is to first cut the cost but also to make the personal data explode. Then three critical issues arise because we entrust those mobile applications by feeding them with passwords, private information, and access to one of the most critical parts of our liking (money): Do those applications protect our private life and especially which kind of information is leaking to the bank? Are they containing vulnerabilities that could be exploited by attackers? In this talk, we are going to present a deep analysis of many banking apps collected in the world. We have performed static and dynamic analysis based on the binaries AND the source code. We will show that almost all apps are endangering our private data (sometimes severely) but in a few cases the presence of vulnerabilities are extremely concerning. While we tried to contact all the relevant banks for a free, detailed technical feedback and to help them fixing their apps, we will explain that a few of them did not care about this feedback and therefore did not want to take any security measure. This talk contains demos and operational results on existing apps and will bring a particular focus on banks from Asia and Australia (Pacific area).


Presenters:

  • Paul Irolla
    Paul Irolla is an IT Engineer working at the ESIEA (C + V)^O Lab.
  • Eric Filiol - ESIEA - (C + V)^O Lab
    Eric Filiol is the head of the Operational Cryptology and Virology at ESIEA a French Engineer School in Computer Science, Electronics and Control Science. He has spent 21 years in the French Army mainly as a ICT security expert (cryptanalysis, computer virology, cyberwarfare). He is also senior officer reservist in the French DoD. He holds a Engineer diploma in Cryptology, a PhD in applied mathematics and computer science and a Habilitation Thesis in Computer Science. His main research interest are Symmetric Cryptosystems analysis (especially from a combinatorial point of view), Computer Virology (theoretical and experimental study of new form of malware and anti-malware technologies), Computer Warfare techniques. He is also the Scientific Director of the European Institute in Computer Antivirus Research (EICAR) in Germany and the Editor-in-chief of the Journal in Computer Virology. He likes playing bass guitar (Jazz), running (marathon and half marathon), motorcycling, and good wine/food.

Links:

Similar Presentations: