What Are You Risking for the Sake of Getting Your Salary Early?

2017 has seen a massive turmoil of cybersecurity breaches impacting both the business and consumers. Be it WannaCry, Petya or Equifax, the rate of security breaches is rising in parallel to innovation. Talking about India, companies like Zomato, Reliance Jio, Indigo Airlines (Twitter Hack) were all a part of the league.

According to Cert-In, the number of cybersecurity incidents reported this year (until June) totalled  to 27,482 and this number has only been rising since the last 3 years. These are just the numbers which have been reported, there is much more that went unnoticed.

Appknox, a Singapore based mobile app security company scans the mobile apps against potential security threats. We have scanned more than 1.5 million mobile apps so far and 90% of the apps fail the basic security checks. Banking Apps/Fintech Apps are the prime targets of the hackers since a single breach can cause huge financial loss to the company.

We thought of picking up a random digital lending application to see if appropriate security measures were taken to protect consumer interest. Typically these type of apps provides a great platform for meeting the needs of quick loans with minimal interest.

Gone are the days when we have to stand in queues to apply for the loans and wait for days to receive it. Technology has revolutionized the way people manage their money and access them. Everything happens now in a single click with e-KYC.

All we need to do is sign up on any lending platform, fill the form, upload the salary slip and id cards, sign the document and we are eligible to receive a loan. But wait! what are we risking for the sake of getting the loan?

On digging deeper into the application, we detected 4 major vulnerabilities in it:

1) AWS Misconfiguration - The app harvests sensitive information such as PAN card, Bank Account Details,  call and SMS logs, loan applications and stores it in Amazon S3 Bucket. Since this bucket was misconfigured, in a way letting anyone with a valid AWS account view and download the data in bulk.


2) Source Code Disclosure - It was found that the application uses a version control system to distribute the codebase among developers. But, unfortunately, the access to the code was made public and anyone with a valid account will be able to view not only the code but also the credentials of the database, FTP servers since they are hardcoded.

source code

code

3) OTP Bypass -  During the time of registration, the application sends an OTP to the mobile number to verify the validity of the user. But, the OTP verification can be bypassed since the application server displays the OTP in one of the responses to any authenticated user.

4) SQL Injection - The application collects information such as first and last name, salary details, phone number through a web form, which was vulnerable to SQL Injection. By this, an attacker can automate the process of downloading all these details from existing tools.

list

The above issues were just the tip of the iceberg, there were many more. The issues were reported to the company and it was great to see them act immediately in fixing these issue.

But, here is what you, the consumer have risked in the process of applying for a loan from the application:

1) Name, Mobile Number

2) Salary Details, Salary Slip

3) Bank Account Details, Bank Statement

4) Pan Card, ID Card ( Driving Licence)

5) Digital Signature, Photo

Impact of Data Breach and what consumer should do

We might not understand what the impact of such data breaches is. There are many things that can be done with your private data. One of the scenarios can be leading to identity theft and the hacker can easily impersonate.

The hidden cost of data breaches costs us more than we think. A few months ago, one of the largest security breaches had come to light -Equifax revealed attackers used an exploit on its website to access records for 143 million US citizens.  

Earlier this year, Zomato security breach resulted in the compromise of data for over 17 million users. Followed by, Aadhaar data of 130 million, bank account details leaked from govt websites.

If trusted companies like Airtel Payment Bank can misuse the data of the consumers (by opening accounts in Airtel Payment Bank without the consent of the consumers) just to meet their targets, imagine what could happen with your data which are leaked to hackers. Our personal data will soon become a commodity and will be a Google Search away.

Companies, start reacting only after the damage is done. But it’s the consumer who bears the brunt of the damage with their personal information.

Despite all these breaches, consumers must react in following ways to minimize the impact. Here are a few tips for starters:

1) Change the username/password of Accounts with the affected company. If these are used on other websites as well, change all of them

2) In case of Credit Card/Debit Card account details getting leaked. Protect your accounts with additional parameters like OTP, 2FA.

3) Beware of Email Scammers or any Phishing attacks - After any such huge data leak, scammers try to dig more details from the consumers via fakes sites or emails.

4) Use m-Aadhaar app to lock your biometric - Aadhar has taken a brilliant initiative where someone can easily lock the biometric using the m-Aadhaar app, which will prevent any person to use your Aadhar number for verification

5) Be Vigilant - Keep a track of all your accounts immediately report in case of any fraudulent activities.

In addition, to make the companies more resilient to a data breach, consumers can take few of the above steps to protect themselves. Companies must make security as a habit rather than a procedure. As a proactive approach, companies must establish meticulous standards in dealing with customer information. After all, “Prevention is always better than Cure”.

SQL Injection CTA1

Published on Jan 30, 2018
Subho Halder
Written by Subho Halder
Subho Halder is the CISO and Co-Founder of Appknox. He started his career researching Mobile Security. Currently, he helps businesses to detect and fix security vulnerabilities. He has also detected critical loopholes in companies like Google, Facebook, Apple, and others

Questions?

Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now