Feeds

Thought mobe banking apps were safe from nasties? THINK AGAIN

Fake SSL certs let cybercrooks hoover up login creds and redirect transactions

Secure remote control for conventional and virtual desktops

Fake SSL certificates in the wild for Facebook, Google and Apple's iTunes store create a grave risk of fraud for people who bank online using their smartphones.

Analysis outfit Netcraft said it has found "dozens” of fake SSL certificates impersonating banks, ecommerce sites, ISPs and social networks. The counterfeit credentials create a ready means for attackers to run man-in-the-middle attacks against the customers of affected companies.

"Successful attacks would allow criminals to decrypt legitimate online banking traffic before re-encrypting it and forwarding it to the bank," writes Paul Mutton, a security researcher at Netcraft. "This would leave both parties unaware that the attacker may have captured the customer's authentication credentials, or manipulated the amount or recipient of a money transfer."

The certificates are not signed by trusted certificate authorities, so none will be regarded as valid by mainstream web browsers. But that doesn't mean that the phoney credentials can be dismissed as posing no threat, the security testing and web services firm warns.

"An increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates," Mutton adds.

Netcraft's blog post summarised previous research by third party researchers that highlights the potential for harm from fake certificates, even in cases where they are unsigned by a certificate authority.

Researchers from Stanford University and The University of Texas at Austin found broken SSL certificate validation in Amazon's EC2 Java library, Amazon's and PayPal's merchant SDKs, integrated shopping carts such as osCommerce and ZenCart, and AdMob code used by mobile websites (research PDF here). A lack of certificate checks within the popular Steam gaming platform also allowed consumer PayPal payments to be undetectably intercepted for at least 3 months before eventually being fixed.

Online banking apps for mobile devices are tempting targets for man-in-the-middle attacks, as SSL certificate validation is far from trivial, and mobile applications often fall short of the standard of validation performed by web browsers. 40% of iOS-based banking apps tested by IOActive are vulnerable to such attacks because they fail to validate the authenticity of SSL certificates presented by the server.

41% of selected Android apps were found to be vulnerable in manual tests by Leibniz University of Hannover and Philipps University of Marburg in Germany (research PDF here). Both apps and browsers may also be vulnerable if a user can be tricked into installing rogue root certificates through social engineering or malware attacks, although this kind of attack is far from trivial on an iPhone.

Examples of fake certificates cited by Netcraft include a dodgy certificate issued in the name of Russia's second largest bank and a certificate that impersonates GoDaddy's POP mail server. Apple iTunes store, a popular phishing target, is also honoured with a dodgy "doppelgänger" certificate.

Even if armed with fake certificates, a hacker would still need to eavesdrop on network traffic flowing between the victim's mobile device and the servers it communicates with. Setting up a rogue wireless access point is one of the easiest ways for an individual to carry out such attacks. ®

New hybrid storage solutions

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.