Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security Incidents with Banking Apps

Cossack Labs
September 03, 2023

Security Incidents with Banking Apps

Building secure digital wallets is a challenge when it comes to balancing between convenience and security while fighting the threats. Let’s take a broad picture of security failures before investing in security solutions.

https://cossacklabs.com/blog/digital-wallet-security-architecture-guide/

Cossack Labs

September 03, 2023
Tweet

More Decks by Cossack Labs

Other Decks in Technology

Transcript

  1. PayID PayID had a data breach that exposed bank details

    and personal data of a vast majority of clients, including those at big four banks. The breach originated with one of the Cuscal clients and affected most organisations. Cause: Enumeration attack Damage: Affected 92,000 customers. The information exposed included users’ full name, PayID nickname, mobile number, BSB and account number. Security enhancements: Additional alerting to mitigate against further incidents Lessons learnt: Services that allow learning user’s PII by entering phone numbers should have rate limits and API monitoring. Payment providers and banks have a shared responsibility and thus need to work together to ensure that their systems are secure and they can respond ASAP to data breaches. https://www.smh.com.au/business/banking-and-finance/payid-in-new-breach-affecting-customers-at-big-f our-banks-20190821-p52jby.html
  2. OCBC OCBC was attacked by malicious actors who managed to

    get access to 790 bank accounts as soon as the victims clicked on a link provided by the attackers and typed in their credentials. Attack type: Phishing Damage: $13,7 million loss Security enhancements: Sending instant fund transfer alerts to customers, reducing default daily limit for PayNow transactions, removing clickable links in marketing emails, introducing a 24-hour cooling off period for key account changes, dedicated customer service care team, introduced a hotline for reports of suspected scams. Lessons learnt: Importance of educating customers about scams. https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline https://www.straitstimes.com/business/banking/ocbc-customers-hit-by-phishing-scam-790-lost-137m-in-t otal-bank-has-made-full-goodwill-payouts