With the evolution of technology, users find themselves with a lot of computing power at their fingertips in the form of a smartphone. Due to this, we have seen a clear shift in the lives of people as they have transformed digitally in every way possible. These days, shopping, entertainment, and banking have all gone digital.
The increased number of users going digital for their banking needs has opened doors to new cyber threats including data theft. Many of these modern-day applications are either riddled with flaws or replaced with fake apps.
In a recent study, researchers found that more than 14 banking applications available on both iOS and Android phones – with more than 50, 0000 downloads are affected by some or the other vulnerability. There are three common vulnerabilities that are found in these apps. These vulnerabilities are related to faults in the client-server interaction, implementation of security mechanisms, and application code.
Failing to manage security updates is another common security weakness.
Nearly, 11 applications allow unauthorized access to the source code, while 13 of the 14 applications could be exploited to gain access to user data and to launch Man-in-the-middle attacks. Researchers have highlighted that by tricking unsuspecting users into clicking on specially constructed messages or links, threat actors can exploit 76% of these vulnerabilities without even getting physical access to the device.
Fraud, theft of funds, and other sensitive information can happen by the vulnerabilities that the researchers have uncovered.
The COVID-19 scenario
The use of mobile banking has seen a surge during the COVID-19 pandemic since there is limited access to banks physically. This has given more opportunities to the threat actors to exploit smartphones and their users for financial gains. These attacks have been triggered by fake banking applications and Trojans that have been lying dormant on a user’s devices until a legitimate application has been downloaded. The goal for the threat actors is to steal the login credentials for the user’s banking applications.
Attackers can also launch an attack by getting physical access to the phone and not just by exploiting the errors in the code. To conduct malicious actions, threat actors can resort to rooting or jailbreaking a device. Even not setting a passcode or a PIN can be of advantage to the attackers.
Security tips
- Jailbreaking or rooting of a device by the user opens up access to the file system and disables data protection mechanisms against malicious app activities.
- In order to limit access to your smartphone, set a PIN code for the device to be unlocked.
- Always download banking applications from verified bank websites or official app stores.
- Use an alphanumeric password as an additional layer of security and enable two-factor authentication on all important accounts.
To read more, please check eScan Blog