Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Incidents with Banking Apps

Cossack Labs
September 03, 2023

Security Incidents with Banking Apps

Building secure digital wallets is a challenge when it comes to balancing between convenience and security while fighting the threats. Let’s take a broad picture of security failures before investing in security solutions.


Cossack Labs

September 03, 2023

More Decks by Cossack Labs

Other Decks in Technology


  1. Security Incidents
    with Banking Apps

    View full-size slide

  2. PayID
    PayID had a data breach that exposed bank details and personal data of a vast majority of
    clients, including those at big four banks. The breach originated with one of the Cuscal clients
    and affected most organisations.
    Cause: Enumeration attack
    Damage: Affected 92,000 customers. The information exposed included users’ full name,
    PayID nickname, mobile number, BSB and account number.
    Security enhancements: Additional alerting to mitigate against further incidents
    Lessons learnt: Services that allow learning user’s PII by entering phone numbers should
    have rate limits and API monitoring. Payment providers and banks have a shared
    responsibility and thus need to work together to ensure that their systems are secure and
    they can respond ASAP to data breaches.

    View full-size slide

  3. OCBC
    OCBC was attacked by malicious actors who managed to get access to 790 bank accounts
    as soon as the victims clicked on a link provided by the attackers and typed in their
    Attack type: Phishing
    Damage: $13,7 million loss
    Security enhancements: Sending instant fund transfer alerts to customers, reducing
    default daily limit for PayNow transactions, removing clickable links in marketing emails,
    introducing a 24-hour cooling off period for key account changes, dedicated customer
    service care team, introduced a hotline for reports of suspected scams.
    Lessons learnt: Importance of educating customers about scams.

    View full-size slide