Various mobile banking apps vulnerable: Study

Trend Micro survey reveals that 15 bank related mobile apps and 39 online payment gateways stand the risk of being exposed to cyber criminals

At a time when lenders have been encouraging consumers to go for mobile banking, a survey by Japanese security firm Trend Micro reveals that 15 bank related mobile apps and 39 online payment gateways, among several others, stand the risk of being exposed to cyber criminals. According to the study, social networking sites, shopping and health care apps used by Indian users are vulnerable.

Apart from mobile apps, 611 websites with the .in domain in the country were also found to be vulnerable, the Trend Micro survey reveals.

The report comes days after the Heartbleed bug put the cyber world on its guard. Now, it has been found not only websites, but also mobile apps are equally vulnerable to this bug and similar ones. This is because mobile apps connect to vulnerable servers and services to complete various functions and thus, they too are exposed to the risks.

Dhanya Thakkar, managing director, Trend Micro (India & SEA), the security firm that carried out the survey, explained how bank details stand the risk of being decoded by cyber criminals.  “Suppose you’re about to pay for an in-app purchase, and to do so you need to input your credit card details. You do so, and the mobile app finishes the transaction for you. While you’re getting on with your game, your credit card data is stored in the server that the mobile app did the transaction with, and may stay there for an indeterminate period of time. As such, cyber criminals can take advantage of the Heartbleed bug (or something similar) to target that server and milk it of information (like your credit card number).”

In order to protect the consumers from online frauds, the Reserve Bank of India had mandated banks to have a two-factor authentication process to strengthen the online payment system.

The discovery of the Heartbleed bug, which essentially is a vulnerability in the code for the OpenSSL encryption standard, caused havoc in the online community because it showed servers, previously thought to be very secure, could be hacked.

Prashanth Susarla, VP —  Engineering and Products at PayU, a payment gateway based in India, said several websites and companies which have their own apps have issued clarifications that their system is secure and has not been affected by the bug. “In case you have not received any such notification from your bank or any other app that you transact through,  it is best you clarify or stay away or be on your guard by checking the transaction history of your credit/debit card.”

Experts add that as a practice, consumers must change their password at least once a month to reduce the possibility of their data being stolen. Apart from this, users should also take some time out to read the security safeguards the company they are choosing to transact through is using and ensure the security certificate is valid and has been authenticated.