SNE/OS3 news: Students discover weakness in banking app.
|Students of the UvA master
System and Network Engineering discovered a
serious weakness in the ABN AMRO mobile banking Android app. During a
practical assignment in the course Security of Systems and Networks
they discovered the possibility of a man-in-the-middle attack. The
vulnerability allowed to intercept and decrypt the secret pin code and
user account data. It was even possible to change transactions on the
wire and adjust the amount and account number money was transferred to.
ABN AMRO was notified in a responsible disclosure procedure. The vulnerability was demonstrated to them at the UvA where a possible fix was discussed. The bank responded very quickly and delivered a fixed version of the app The students visited the bank to test these fixes.
The new version of the app was available to users in the Google app store on December 17th only a few days after being notified which is very commendable.
Users who didn't update the app since are still vulnerable. These users might not be aware of the risk. The release notes only state:
“This is a security update which will make Mobiel Bankieren even more secure”.
You can read the report with the findings of Thijs Houtenbos, Jurgen Kloosterman, Javy de Koning en Bas Vlaszaty.