Currently, the mobile bank is gaining unthinkable popularity. Every modern person has an application with which he can make various bank transactions. With the growing popularity of this service, the number of crimes in the field of mobile banking is also growing.
The company Digital Security, whose director is Dmitry Evdokimov, investigated the results of a new study "Mobile banking security: the possibility of implementing a MiTM attack (Man in the Middle)" and found that via the Internet, you can "catch" malicious code, which will fall into the internal network and change the DNS settings on the router. Then when trying to connect to a bank, the device redirects DNS to the attacker's site
Previously, Digital Security tried to conduct statistical analysis of the sphere of mobile banking, and also systematized the security of about 40 applications running on various OSes, such as Android and iOS. In the new study, about 60 applications have already been considered, including bank clients of Alfa-Bank, Avangard Bank, Baltika Bank, VTB, Gazprombank, Promsvyazbank, Raiffeisenbank, SIAB, Citibank, Uralsib, Khanty-Mansi Bank and others.
"This time we decided to focus on finding one of the most dangerous vulnerabilities in the field of mobile banking, connected with insufficient protection of the transport level or its absence. This problem can lead to the implementation of the MiTM attack and the theft of money from customers' accounts, "commented Dmitry Evdokimov.
Due to the greatest popularity among other systems and the largest number of mobile banking applications, Android and Ios have been selected for the study. Expert Digital Security found out that of all considered mobile bank clients with iOS 14% are subject to theft of money only with the help of MitM-attack, and with Android 23% (Picture 1). Also, the combination of other vulnerabilities can lead to the theft of money from customers' accounts.
Picture 1 Statistics of applications in which you can commit money theft only with the help of MitM-attack.
In the course of the research, the expert of Digital Security also made a number of interesting findings not directly related to the main topic. For example, server responses sometimes receive debugging traces, disclosure of internal banking information (even information about ABS, automated banking system).
In addition to the MitM-attack, there are other ways of stealing money from the user's mobile bank:
1.Social engineering.
This is an attack not on the application, but on the user. It is enough to know some information about the client.
2.Installation of malware.
Usually, social engineering is used to deceive the user and persuade him to install a malicious program that will intercept SMS and passwords.
3. Theft or loss of the device.
Since the device is mobile, the client can lose it, and the attacker who has found it can perform unauthorized transactions using the previously installed and authorized application. Such attacks can be thought of by thieves, who act in places of large concentrations of people.
4.NFC technology.
If the phone is equipped with an NFC that allows you to make NFC payments using a mobile phone through a mobile bank application, then this may be an additional attack vector. In each case the mobile bank application itself does not break, and the attacker simply uses the interface of the card (if the card is crammed into the phone).
4. Data capture.
It should also be noted that with a properly designed application, the probability of theft of the necessary data and the procedure for verification of the application by an unauthorized user is low enough. You often need to clone the SIM card to which the bank account is attached, or install a Trojan that will, in real time, intercept SMS on the client device.
Based on the findings of the study, it can be stated that the overwhelming majority of Russian banks still do not pay due attention to the safety of mobile banking. Ultimately, with the development of mobile banking technology, more and more online transactions will occur. And if the vulnerabilities exist and multiply, then their use will lead to massive theft of financial assets from customers' accounts.
Literature:
1. Internet dictionary "Academician"[Electronic resource]. - Electron. data. URL: https://dic.academic.ru
2. Internet-magazine [Electronic resource]. - Electron. data. URL: https://xakep.ru/
3. Web-site of the research center Digital Security [Electronic resource]. - Electron. data. URL: https://dsec.ru/research-center/
4. News web-site [Electronic resource]. - Electron. data. URL: https://habrahabr.ru/
5. Internet portal [Electronic resource]. - Electron. data. URL: Wikipedia.org