Feeds

Thought mobe banking apps were safe from nasties? THINK AGAIN

Fake SSL certs let cybercrooks hoover up login creds and redirect transactions

SANS - Survey on application security programs

Fake SSL certificates in the wild for Facebook, Google and Apple's iTunes store create a grave risk of fraud for people who bank online using their smartphones.

Analysis outfit Netcraft said it has found "dozens” of fake SSL certificates impersonating banks, ecommerce sites, ISPs and social networks. The counterfeit credentials create a ready means for attackers to run man-in-the-middle attacks against the customers of affected companies.

"Successful attacks would allow criminals to decrypt legitimate online banking traffic before re-encrypting it and forwarding it to the bank," writes Paul Mutton, a security researcher at Netcraft. "This would leave both parties unaware that the attacker may have captured the customer's authentication credentials, or manipulated the amount or recipient of a money transfer."

The certificates are not signed by trusted certificate authorities, so none will be regarded as valid by mainstream web browsers. But that doesn't mean that the phoney credentials can be dismissed as posing no threat, the security testing and web services firm warns.

"An increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates," Mutton adds.

Netcraft's blog post summarised previous research by third party researchers that highlights the potential for harm from fake certificates, even in cases where they are unsigned by a certificate authority.

Researchers from Stanford University and The University of Texas at Austin found broken SSL certificate validation in Amazon's EC2 Java library, Amazon's and PayPal's merchant SDKs, integrated shopping carts such as osCommerce and ZenCart, and AdMob code used by mobile websites (research PDF here). A lack of certificate checks within the popular Steam gaming platform also allowed consumer PayPal payments to be undetectably intercepted for at least 3 months before eventually being fixed.

Online banking apps for mobile devices are tempting targets for man-in-the-middle attacks, as SSL certificate validation is far from trivial, and mobile applications often fall short of the standard of validation performed by web browsers. 40% of iOS-based banking apps tested by IOActive are vulnerable to such attacks because they fail to validate the authenticity of SSL certificates presented by the server.

41% of selected Android apps were found to be vulnerable in manual tests by Leibniz University of Hannover and Philipps University of Marburg in Germany (research PDF here). Both apps and browsers may also be vulnerable if a user can be tricked into installing rogue root certificates through social engineering or malware attacks, although this kind of attack is far from trivial on an iPhone.

Examples of fake certificates cited by Netcraft include a dodgy certificate issued in the name of Russia's second largest bank and a certificate that impersonates GoDaddy's POP mail server. Apple iTunes store, a popular phishing target, is also honoured with a dodgy "doppelgänger" certificate.

Even if armed with fake certificates, a hacker would still need to eavesdrop on network traffic flowing between the victim's mobile device and the servers it communicates with. Setting up a rogue wireless access point is one of the easiest ways for an individual to carry out such attacks. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.