Beware of online banking: Security expert reveals that ANYONE can hack a bank's app using free internet tools
comments
Mobile security experts set up a dummy banking app, pictured, to demonstrate how the technology can be hacked using reverse engineering
More than two thirds of us now use smartphones to make payments and check bank balances online.
Many banking apps have a number of security measures in place - from two-step authentication to passwords and PINs - but they may not be as secure as first thought.
A mobile security expert has revealed to MailOnline how these apps can be hijacked using free tools available online - and the hackers don't need any of the user's login details.
Winston Bond is technical manager at mobile security firm Arxan Technologies.
To highlight the risks, he developed a dummy banking app before engineering it to connect it to an external server that could be run by a hacker.
During a demonstration, as he signed into the app, the password was automatically revealed on the hacker's server.
During another demo, he sent money via the app.
The server was able to piggyback onto the payment and even transfer money to the hacker's account at the same time.
Although this was a dummy demonstration, Bond explained it is the same process hackers are using to access official banking apps on mobile devices.
The hacking technique used is called reverse engineering.
The process involves taking an object apart to see how it works, either to replicate or improve it.
As part of the engineering, expert Winston Bond connected the app to an external server that could be run by a hacker, pictured. During one demonstration, as he signed into the app on his iPad, the password was automatically revealed on this pretend hacker's server on a laptop, pictured
During another demonstration, Bond sent money to a person called Mark, via the app. The server was able to piggyback onto the payment and send money to the hacker's account, pictured here as A.Crook. Although this was a dummy demonstration, Bond said it is the same process hackers use to access official banking apps
WHAT IS REVERSE ENGINEERING?
Reverse engineering is the process of taking an object apart to see how it works, either to replicate or improve the object.
It is not just used for hacking purposes, and is often used by programmers to find mistakes or errors in code in order to fix them.
In the case of apps, software reverse engineering involves translating a program's binary code back into the source code that it was written in.
This source code reveals to the hackers how the app works, the steps it takes to complete certain tasks and details about the app's structure.
A reverse engineer can use a various tools to disassemble a program.
One example is called a hexadecimal dumper, which prints or displays the binary numbers of a program in hexadecimal format, making it easier to read than binary.
Another tool is a disassembler. This reads the binary code and displays each instruction in text form.
Reverse engineering is not just used for hacking purposes, and is often a technique programmers use to find mistakes or errors in code in order to fix them.
In the case of apps, software reverse engineering involves translating the program's binary code back into the source code it was originally written in.
This source code reveals to the hackers how the app works, the steps it takes to complete certain tasks, and details about the app's structure.
Hackers are able to manipulate this source code by adding in lines that connect the app to an external server, for example, or code that tells the app to reveal the password each time it's entered.
More complicated code is used to create a rule, for example, that means every time a payment is sent, the same amount is sent to the hackers account.
Accomplished hackers can also edit the code to hide these changes from the program, so the software assumes everything is working as it should.
Once the changes are made, the edited code is uploaded back onto the company's server.
And, as Winston Bond explained, all of these steps can be carried out using tools freely available online.
There are even online video tutorials that show programmers, as well as a hackers, how to access the source code of software.
He did point out that iOS apps and software are more secure and closely monitored than Android, for example - except on jailbroken devices.
'Jailbreaking' is the process of removing certain restrictions Apple places on apps and downloads, for example, and makes it easier for developers to adjust settings.
Reverse engineering is the process of taking an object apart to see how it works. It is not just used for hacking purposes, and is often used by programmers to find mistakes or errors in code. Software reverse engineering involves translating a program's binary code, stock image, back into the source code it was written in
HOW TO PROTECT YOURSELF?
Many apps are now using additional software, including those developed by Arxan Technologies to prevent hackers from reverse engineering their products.
However, firms do not reveal if they are protected by such services so users are advised to only download apps from official app stores.
People should keep an eye on bank statements and report any irregularities.
They should also check in the phone's settings for any unusual looking processes running in the background.
If any look suspicious, users can search online for the names of processes to see what they do.
Experts also suggest installing antivirus apps on mobile devices.
In many of the cases where banking apps are hacked, Bond continued the attack only works when a user downloads a separate, malicious app.
The demonstration was created after an Arxan study found hackers attacked 78 per cent of the top 100 paid Android and iOS apps last year.
It revealed there were hacked versions of 100 per cent of the top 100 paid apps for Android, and 56 per cent of the top 100 paid apps for iOS.
Last year, Arxan found attackers modified 80 per cent of free Android apps, and this year, this was down to 73 per cent in the same category.
On iOS devices, 40 per cent were hacked last year, compared to 53 per cent this year.
The research unveiled cracked versions of popular financial apps to be at 53 per cent for Android, and 23 per cent were Apple iOS hacked variants.
Put the internet to work for you.
0 comments:
Post a Comment