27 February 2017
visit dh.com

IBM uncovers Android banking vulnerability; consumers turned off by security fears

08 August 2014  |  9805 views  |  1 Teenagers using Smartphone

One-in-ten banking apps are wide open to a malicious drive-by hacking exploit that exposes user credentials when visiting bug-laden websites.

The vulnerability - discovered by the IBM Security X-Force Research team - lies in Android applications built on the Apache Cordova (previously PhoneGap) platform. According to AppBrain, this affects 5.8% of all Android apps and roughly one-in-ten mobile banking apps.

The Apache Cordova vulnerabilities enable Cross-Application Scripting - the execution of a malicious JavaScript code - which can occur when users unwittingly browse an infected website.

Says IBM: "Due to other vulnerabilities that we have detected within Cordova, such code can exfiltrate information back to the attacker, such as their login credentials, allowing attackers to impersonate them, access their accounts and even make purchases on their behalf."

IBM has privately reported the vulnerabilities to the Cordova team, which has released patches for the latest Cordova version 3.5.1.

News of the exploit comes as new research among 2000 UK adults by Intercede, found that 53% of consumers would never use mobile banking services, due to security fears. The survey also found that half avoid money transfer apps, and almost a quarter (24%) would not feel safe shopping on their handsets.

When asked why they were so concerned, respondents cite a lack of trust in current mobile login and authentication options, and worries about identity theft. One respondent said, "I must be confident only I will be able to log in and use them [apps] - at this stage, I just don't trust apps, especially financial ones," while others commented, "I don't want anyone to steal my phone and be able to access my money," and "apps are too hackable".

Comments: (1)

Hitesh Thakkar
Hitesh Thakkar - FIS Payments Software and Services India - India | 08 August, 2014, 16:44

Sample size of Survey is very low - 2000 and vulnerablity as per IBM and Apache is taken care. There is no direct connect as there is no possibility that, all 10 Android applications are developed using PhoneGap or similar cross platform development tools (e.g. Xamarin)

Considering such disconnect, still survey reflects low confidence due to lack of multi factor authentication methdology. Players like Jumio also has raised similar vulnerability report for ID Theft.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Botnet takes advantage of weak passwords to hack POS systems

Botnet takes advantage of weak passwords to hack POS systems

10 July 2014  |  7007 views  |  0 comments | 7 tweets | 6 linkedin
The end of verification? Visa Europe posits new age for payment security

The end of verification? Visa Europe posits new age for payment security

09 July 2014  |  17969 views  |  26 comments | 32 tweets | 49 linkedin
Target names DeRhodes CIO; partners MasterCard for chip and PIN

Target names DeRhodes CIO; partners MasterCard for chip and PIN

29 April 2014  |  5320 views  |  0 comments | 3 tweets
Security worries could hamper take-up of Paym P2P m-payments

Security worries could hamper take-up of Paym P2P m-payments

28 April 2014  |  11566 views  |  21 comments | 18 tweets | 13 linkedin
Researchers crack Galaxy S5 fingerprint reader and access PayPal app

Researchers crack Galaxy S5 fingerprint reader and access PayPal app

16 April 2014  |  8083 views  |  0 comments | 15 tweets | 5 linkedin
Researchers hack mPOS devices, play Flappy Bird

Researchers hack mPOS devices, play Flappy Bird

07 April 2014  |  17984 views  |  2 comments | 19 tweets | 18 linkedin
As US card fraud rises, firms increase security spending

As US card fraud rises, firms increase security spending

04 April 2014  |  5428 views  |  1 comments | 8 tweets | 7 linkedin
Retail and financial services groups form cybersecurity partnership

Retail and financial services groups form cybersecurity partnership

14 February 2014  |  5174 views  |  0 comments | 4 tweets | 9 linkedin
Russian teen accused of writing Target malware

Russian teen accused of writing Target malware

20 January 2014  |  6076 views  |  4 comments | 8 tweets | 10 linkedin
Bank apps riddled with security holes - researchers

Bank apps riddled with security holes - researchers

13 January 2014  |  11538 views  |  0 comments | 21 tweets | 15 linkedin
ECB sets out draft mobile payments security recommendations

ECB sets out draft mobile payments security recommendations

20 November 2013  |  9030 views  |  0 comments | 16 tweets | 13 linkedin
IBM develops two-factor security for mobile devices

IBM develops two-factor security for mobile devices

21 October 2013  |  8487 views  |  0 comments | 11 tweets | 13 linkedin
Card giants bid to boost online checkout security with digital tokens

Card giants bid to boost online checkout security with digital tokens

01 October 2013  |  15946 views  |  2 comments | 21 tweets | 22 linkedin
Android flaw leaves bitcoin wallets open to theft

Android flaw leaves bitcoin wallets open to theft

12 August 2013  |  6103 views  |  0 comments | 5 tweets | 1 linkedin

Related company news

 

Related blogs

Create a blog about this story (membership required)
Visit contisgroup.comvisit dh.com

Who is commenting?

A Finextra member Finextra Member Commented on: Bank consultancy Zeb o...
A Finextra member Finextra Member Commented on: In wake of Cloudflare...
A Finextra member Finextra Member Commented on: Final PSD2 SCA & C...

Top topics

Most viewed Most shared
EBA to relax controversial PSD2 authentication rulesEBA to relax controversial PSD2 authentica...
13296 views comments | 52 tweets | 74 linkedin
RBS to become fintech fund and high street outlet for challenger banks under HMT remedyRBS to become fintech fund and high street...
8744 views comments | 40 tweets | 34 linkedin
BNY Mellon seeks blockchain experts for new emerging biz and tech teamBNY Mellon seeks blockchain experts for ne...
7427 views comments | 7 tweets | 4 linkedin
hands typing furiouslyBlockchain Technology
7190 views 1 | 18 tweets | 7 linkedin
High rate of defaults hit P2P lending sectorHigh rate of defaults hit P2P lending sect...
7050 views comments | 19 tweets | 13 linkedin

Featured job

Six Figure Base + Commission + Stock Options
London

Find your next job