Feeds

Thought mobe banking apps were safe from nasties? THINK AGAIN

Fake SSL certs let cybercrooks hoover up login creds and redirect transactions

Security for virtualized datacentres

Fake SSL certificates in the wild for Facebook, Google and Apple's iTunes store create a grave risk of fraud for people who bank online using their smartphones.

Analysis outfit Netcraft said it has found "dozens” of fake SSL certificates impersonating banks, ecommerce sites, ISPs and social networks. The counterfeit credentials create a ready means for attackers to run man-in-the-middle attacks against the customers of affected companies.

"Successful attacks would allow criminals to decrypt legitimate online banking traffic before re-encrypting it and forwarding it to the bank," writes Paul Mutton, a security researcher at Netcraft. "This would leave both parties unaware that the attacker may have captured the customer's authentication credentials, or manipulated the amount or recipient of a money transfer."

The certificates are not signed by trusted certificate authorities, so none will be regarded as valid by mainstream web browsers. But that doesn't mean that the phoney credentials can be dismissed as posing no threat, the security testing and web services firm warns.

"An increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates," Mutton adds.

Netcraft's blog post summarised previous research by third party researchers that highlights the potential for harm from fake certificates, even in cases where they are unsigned by a certificate authority.

Researchers from Stanford University and The University of Texas at Austin found broken SSL certificate validation in Amazon's EC2 Java library, Amazon's and PayPal's merchant SDKs, integrated shopping carts such as osCommerce and ZenCart, and AdMob code used by mobile websites (research PDF here). A lack of certificate checks within the popular Steam gaming platform also allowed consumer PayPal payments to be undetectably intercepted for at least 3 months before eventually being fixed.

Online banking apps for mobile devices are tempting targets for man-in-the-middle attacks, as SSL certificate validation is far from trivial, and mobile applications often fall short of the standard of validation performed by web browsers. 40% of iOS-based banking apps tested by IOActive are vulnerable to such attacks because they fail to validate the authenticity of SSL certificates presented by the server.

41% of selected Android apps were found to be vulnerable in manual tests by Leibniz University of Hannover and Philipps University of Marburg in Germany (research PDF here). Both apps and browsers may also be vulnerable if a user can be tricked into installing rogue root certificates through social engineering or malware attacks, although this kind of attack is far from trivial on an iPhone.

Examples of fake certificates cited by Netcraft include a dodgy certificate issued in the name of Russia's second largest bank and a certificate that impersonates GoDaddy's POP mail server. Apple iTunes store, a popular phishing target, is also honoured with a dodgy "doppelgänger" certificate.

Even if armed with fake certificates, a hacker would still need to eavesdrop on network traffic flowing between the victim's mobile device and the servers it communicates with. Setting up a rogue wireless access point is one of the easiest ways for an individual to carry out such attacks. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.