Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Mobile App. Show all posts

Is Online Banking Truly Safe? Understanding the Safety Loopholes in Bank Websites

 

In today's increasingly digital landscape, ensuring the security of online banking platforms is paramount. With cyber threats evolving and becoming more sophisticated, financial institutions face the constant challenge of fortifying their systems against unauthorized access and data breaches. 

Recently, Which?, a respected consumer advocate, conducted an extensive investigation into the security measures implemented by major current account providers. This evaluation carried out with the assistance of independent computer security experts, aimed to scrutinize the efficacy of banks' online banking systems in safeguarding customer data and preventing fraudulent activities. 

The assessment, conducted over two months in January and February 2024, focused on examining the apps and websites of 13 prominent current account providers. While the evaluation did not encompass testing of back-end systems, it honed in on four critical areas essential for ensuring robust security protocols: security best practices, login processes, account management, and navigation & logout functionalities. 

Through rigorous testing, the investigation revealed significant variations among providers, with some demonstrating commendable security measures while others fell short of expectations. Among the findings, TSB and the Co-operative Bank emerged as the lowest-ranked institutions in both mobile app and online security. 

Notably, TSB's app exhibited a serious vulnerability, allowing sensitive data to be accessed by other applications on the device, raising concerns about data integrity and privacy. Similarly, the Co-operative Bank's failure to enforce two-factor authentication (2FA) on a test laptop highlighted potential weaknesses in their security infrastructure, necessitating urgent attention and remediation. 

Conversely, NatWest and Starling emerged as frontrunners in online banking security, earning an impressive score of 87%. Their robust security protocols and stringent authentication processes set them apart as leaders in safeguarding customer information. 

Meanwhile, HSBC and Barclays led the pack in mobile banking security, with HSBC notably eschewing SMS-based login verification, opting for more secure alternatives to protect user accounts. In addition to holding financial institutions accountable for maintaining rigorous security standards, consumers must also take proactive steps to protect their financial data when banking online. 

Which? recommends six essential tips for enhancing online security, including protecting mobile devices, using strong and unique passwords, and promptly reporting any suspicious activity. By adopting these best practices and remaining vigilant, consumers can mitigate the risks associated with online banking and thwart the efforts of cybercriminals seeking to exploit vulnerabilities. 

In an era where digital transactions are ubiquitous, prioritizing security is imperative to safeguarding personal and financial information from unauthorized access and fraudulent activities.

Durov Suspected WhatsApp of Intentionally Introducing Vulnerabilities

 

Russian entrepreneur and founder of the Telegram messenger Pavel Durov while criticizing the WhatsApp service said that the messenger, owned by Meta, was hardly ever secure, in his Telegram channel.

Durov also suspects that the service may intentionally introduce vulnerabilities. "Since the creation of WhatsApp, there has hardly been a moment when it was secure: every few months, researchers discover a new security problem in the application," he added. 

Durov noted that every few months researchers find a new security issue in the application. He recalled that he had already spoken out about the danger of the service in 2020. Since then, as the creator of Telegram considered, the situation with WhatsApp has not changed. 

As an illustration of his words, he cited a study by the American information technology company Boldend, which revealed a vulnerability in WhatsApp. The gap in the messenger has existed for several years and allows attackers to gain access to the correspondence of their victims unnoticed. 

In addition, the creator of Telegram commented on a Forbes report, which claims that Facebook investor Peter Thiel secretly funded a startup with the ability to hack WhatsApp. "WhatsApp users' messages have been available for attacks by potential hackers for years," Durov said about the report. 

"It would be hard to believe that WhatsApp technicians are so often incompetent. Telegram, a much more technically sophisticated application, has never had such serious security problems," Durov concluded. 

In December, Durov said that his Telegram remains protected from the influence of third parties. He cited the example of the FBI report, which claimed that the bureau has access to Viber, iMessage, WhatsApp, and Line, but Telegram, Threema, Signal, and Wickr do not transmit correspondence to third parties. At the same time, it was noted that Telegram can, at the request of law enforcement officers, issue the IP address and phone number of the user. 

Earlier, Pavel Durov's team advised the Ministry of Finance of Ukraine on cryptocurrencies. The Minister said that he actively uses the Telegram messenger for fast communications.

Guardian: Truecaller Fixes Location Vulnerabilty In Its New App

Caller ID and spam blocking company Truecaller recently launched its "Guardian" application that allows users to share their live locations with the trusted guardians in their contact lists. Anand Prakash, cybersecurity expert based in Bangalore, however, pointed out that the app had a major vulnerability and Truecaller soon fixed it. The individual security app has an emergency option that informs the user's selected peers of his/her live location, which gives real-time information during any emergency.  Mr. Prakash who founded Pingsafe, a cybersecurity startup, says that the vulnerability could allow any potential threat actor to gain access into any user's account via using a phone number. 

Later, the hacker could hijack the user account and take all its data, this may include the live location (both user and emergency contacts), user date of birth, and profile picture. Guardian was released on 3rd March and has over 1,00,000 downloads on the play store. "We are using an encrypted line between the two different clients...So that actually means that you can't revisit a previous journey because we don't store that data...The data that is shared with the 'forever sharing' option is the state of battery and signal, along with the location to help the trusted guardians follow the user," says Truecaller. Mr. Prakash contacted Truecaller the next day, notifying the latter about the vulnerability. 

Basic API error was the reason for the flaw. If API (Application Programming Interfaces) problems persist, it allows attackers to access website data and software, generally not accessible to a user. Mr. Prakash says he immediately looked into the app after its release and soon discovered issues with the app. using the "login API" option in the app, the researcher was able to gain access to another person's profile using his phone number. 

A similar pattern was tried with other contacts and the issue was reported to Truecaller. The company soon fixed the issue and later notified the expert. Mr. Prakash identified the issue as an "Insecure Direct Object Interference" flaw.  PingSafe's report says, "companies tend to miss out on such fundamental issues even after rigorous security assessments. The repercussions of such problems are enormous and impact customers’ privacy and lead to companies’ revenue losses."