Retail banks could be exposing their customer data to hackers by offering ATM services over downloadable mobile banking applications, warns Ken Munro, managing director of independent security consultancy SecureTest.
Up to 20 high street banks are gearing up to roll-out balance request and mobile phone top-ups using the service, dubbed MobileATM, by the end of the year. The service has incorporated several security functions such as a two-step authentication procedure, developed following security tests on similar mobile phone applications in the online gambling and gaming sector.
But it may be possible for a hacker to sidestep these measures by hacking into the source code of the application itself, using this to access data held by the bank.
MobileATM is being offered to banks by cash machine operator Link. It has been developed by MChex, a subsidiary of Morse which developed the service’s security software which requires the user to enter their PIN and a one-time password. According to reports, this two-step authentication has been subjected to a risk assessment and the server-side security of the system seems secure. However, there is no evidence that the application itself would withstand a hack attack.
Many mobile phone applications are written in Java 2 Mobile Edition (J2ME), making it fairly straightforward to port the application between different handsets models.
However, this also makes it relatively simple to decompile the application to its source code. Using freeware tools to access the phone operating system, the hacker can tap into the root file system to view information sent to the phone during the install process. Usually a WAP Push message is sent to the phone, the user accepts this, and this then informs the phone where to download the application. By intercepting information during this process, the Java Application Resource (JAR) source file can be obtained: this is similar to a ZIP file and can easily be read. The hacker then simply alters the source code to suit their malicious intentions and runs the application.
If server-side validation is not perfect, there are opportunities to obtain sensitive data, such as passwords, and view transactions and account balances. This information can then be used to perform identity theft, with the hacker masquerading as another user to obtain goods, services, credit cards or loans.
The MobileATM service will initially be limited to balance checking and mobile top ups, but both Link and MChex have mooted the possibility of adding transactional services by the end of the year using the triple DES encryption standard. This will enable customers to make cash transfers or extend their overdraft limit. It could also see m-commerce services added such as person-to-person payments or retail purchases.
SecureTest has tested other mobile Java applications on behalf of several clients and seen some concerning security issues. Freeware decompilers make Java applications easy to exploit by hackers. Unless the bank has strong server-side validation, these mobile applications can and will be used to harvest sensitive information and, once the banks add transactional capabilities, they risk losing customers’ money.
SecureTest makes the following recommendations to retail banks looking to implement Java applications for mobile ATM services:
- Banks should subject any application that has access to their back-end servers to a stringent security test. The application, mobile platform and server should all be tested.
- The application source code should be obfuscated: it should be written in such a way that it is difficult for hackers to interpret. Securely written applications can deter hackers.
- Two-step authentication will only be secure if properly enforced. Passwords need to be changed regularly to lessen the risk of a successful attack.
- Once the mobile client application has been distributed to the market, it isn’t your application any more. Don’t trust any input received from it.