Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Incidents with Banking Apps

Cossack Labs
September 03, 2023

Security Incidents with Banking Apps

Building secure digital wallets is a challenge when it comes to balancing between convenience and security while fighting the threats. Let’s take a broad picture of security failures before investing in security solutions.

https://cossacklabs.com/blog/digital-wallet-security-architecture-guide/

Cossack Labs

September 03, 2023
Tweet

More Decks by Cossack Labs

Other Decks in Technology

Transcript

  1. Security Incidents
    with Banking Apps

    View full-size slide

  2. PayID
    PayID had a data breach that exposed bank details and personal data of a vast majority of
    clients, including those at big four banks. The breach originated with one of the Cuscal clients
    and affected most organisations.
    Cause: Enumeration attack
    Damage: Affected 92,000 customers. The information exposed included users’ full name,
    PayID nickname, mobile number, BSB and account number.
    Security enhancements: Additional alerting to mitigate against further incidents
    Lessons learnt: Services that allow learning user’s PII by entering phone numbers should
    have rate limits and API monitoring. Payment providers and banks have a shared
    responsibility and thus need to work together to ensure that their systems are secure and
    they can respond ASAP to data breaches.
    https://www.smh.com.au/business/banking-and-finance/payid-in-new-breach-affecting-customers-at-big-f
    our-banks-20190821-p52jby.html

    View full-size slide

  3. OCBC
    OCBC was attacked by malicious actors who managed to get access to 790 bank accounts
    as soon as the victims clicked on a link provided by the attackers and typed in their
    credentials.
    Attack type: Phishing
    Damage: $13,7 million loss
    Security enhancements: Sending instant fund transfer alerts to customers, reducing
    default daily limit for PayNow transactions, removing clickable links in marketing emails,
    introducing a 24-hour cooling off period for key account changes, dedicated customer
    service care team, introduced a hotline for reports of suspected scams.
    Lessons learnt: Importance of educating customers about scams.
    https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline
    https://www.straitstimes.com/business/banking/ocbc-customers-hit-by-phishing-scam-790-lost-137m-in-t
    otal-bank-has-made-full-goodwill-payouts

    View full-size slide