Sparkasse’s pushTAN-app with security gaps

Most users of smartphones and tablets also have online banking through their bank’s apps by now. They use the simple means for transfers, checking the account balance and similar things. The apps which are designed to facilitate online banking are also particularly popular. An example is Sparkasse’s pushTAN-app which provides the relevant tokens for transfers. As experts from the IT sector have now shown, this program is thoroughly vulnerable to attack.

Several weeks ago Sparkasse already had to bear the accusation that a hack of their app for mobile TAN-solutions would be possible. Vincent Haupert and Tilo Müller from the University of Erlangen are recognised experts in the field of IT security and have already demonstrated for some time that it is possible to gain access to the app’s sensitive information. Although shortly thereafter Sparkasse did stress that the relevant gaps in security were fixed in the latest version, as it turns out, this was not the case. Only the level of effort required to manipulate the data has once again been increased.

An attempt to gain access to the newest and supposedly safe version of the pushTAN-app was demonstrated at the recently concluded 32C3 Congress. At the congress for IT security and hacking, both experts demonstrated that while there is more security in the newest version, one cannot say that the app is intrinsically safe now.

In order to demonstrate this, both researchers used a program that is actually responsible for security in programming. With the help of this program’s functionality it was possible even now to find data with which one can gain access to the most sensitive areas of the app. It was only necessary to make a few changes. Both experts also say that the security in the app is better now, but they show in the experiment how easy it actually is to gain access to the sensitive kernel. In case of doubt, it is enough for the attacker to know how to cover his own tracks. In the video that they made of their experiment, one could also see that the user would only notice long after the hack that his app had been compromised. Then, in order to report the fraud, the user would have to take a detailed look at the transfer details.

Online banking has always been one of the most sensitive areas of IT security for normal users. With the increased use of apps and mobile solutions, many potential dangers have been revealed, and there is now a need to combat them. For users it is thus very important that they take additional measures to protect their sensitive information. In this respect it is especially important to rely on Two-Factor Authentication for online banking. According to the banks, this is something which is long overdue. A TAN should never be used on the same end device as the one where the online banking is taking place. Aside from that, there is the danger that an attacker could get access to both devices. For this reason it is recommended to always use two separate end devices, for example your PC and your cellphone. Alongside up-to-date software for security and regular updates for apps, it all comes down to a healthy control over your own information. Those who respect security and keep their PC and tablet infrastructure up to date have the least danger to be afraid of.

Bitte um den ersten Kommentar.

You must be logged in to post a comment.