[This post was originally written by me in 2017 at Appknox Blog]
2017 has seen a massive turmoil of cybersecurity breaches impacting both the business and consumers. Be it WannaCry, Petya, or Equifax, the rate of security breaches is rising in parallel to innovation. Talking about India, companies like Zomato, Reliance Jio, and Indigo Airlines (Twitter Hack) were all a part of the league.
According to Cert-In, the number of cybersecurity incidents reported this year (until June) totalled to 27,482 and this number has only been rising since the last 3 years. These are just the numbers which have been reported, there is much more that went unnoticed.
Appknox, a Singapore-based mobile app security company scans mobile apps against potential security threats. We have scanned more than 1.5 million mobile apps so far and 90% of the apps fail the basic security checks. Banking Apps/Fintech Apps are the prime targets of hackers since a single breach can cause huge financial loss to the company.
We thought of picking up a random digital lending application to see if appropriate security measures were taken to protect consumer interest. Typically these type of apps provides a great platform for meeting the needs of quick loans with minimal interest.
Gone are the days when we have to stand in queues to apply for the loans and wait for days to receive them. Technology has revolutionized the way people manage their money and access them. Everything happens now in a single click with e-KYC.
All we need to do is sign up on any lending platform, fill out the form, upload the salary slip and id cards, and sign the document and we are eligible to receive a loan. But wait! what are we risking for the sake of getting the loan?
On digging deeper into the application, we detected 4 major vulnerabilities in it:
1) AWS Misconfiguration – The app harvests sensitive information such as PAN card, Bank Account Details, call and SMS logs, and loan applications and stores it in Amazon S3 Bucket. Since this bucket was misconfigured, in a way letting anyone with a valid AWS account view and download the data in bulk.
2) Source Code Disclosure – It was found that the application uses a version control system to distribute the codebase among developers. But, unfortunately, the access to the code was made public and anyone with a valid account will be able to view not only the code but also the credentials of the database, and FTP servers since they are hardcoded.
3) OTP Bypass – During the time of registration, the application sends an OTP to the mobile number to verify the validity of the user. But, the OTP verification can be bypassed since the application server displays the OTP in one of the responses to any authenticated user.
4) SQL Injection – The application collects information such as first and last name, salary details, and phone number through a web form, which was vulnerable to SQL Injection. By this, an attacker can automate the process of downloading all these details from existing tools.
The above issues were just the tip of the iceberg, there were many more. The issues were reported to the company and it was great to see them act immediately in fixing these issues.
But, here is what you, the consumer have risked in the process of applying for a loan from the application:
1) Name, Mobile Number
2) Salary Details, Salary Slip
3) Bank Account Details, Bank Statement
4) Pan Card, ID Card ( Driving Licence)
5) Digital Signature, Photo
Impact of Data Breach and what consumers should do
We might not understand what the impact of such data breaches is. There are many things that can be done with your private data. One of the scenarios can be leading to identity theft and the hacker can easily impersonate.
The hidden cost of data breaches costs us more than we think. A few months ago, one of the largest security breaches had come to light -Equifax revealed attackers used an exploit on its website to access records for 143 million US citizens.
Last year, the Zomato security breach resulted in the compromise of data for over 17 million users. Followed by, Aadhaar data of 130 million, bank account details leaked from govt websites.
If trusted companies like Airtel Payment Bank can misuse the data of the consumers (by opening accounts in Airtel Payment Bank without the consent of the consumers) just to meet their targets, imagine what could happen with your data which are leaked to hackers. Our personal data will soon become a commodity and will be a Google search away.
Companies, start reacting only after the damage is done. But it’s the consumer who bears the brunt of the damage with their personal information.
Despite all these breaches, consumers must react in the following ways to minimize the impact. Here are a few tips for starters:
1) Change the username/password of Accounts with the affected company. If these are used on other websites as well, change all of them
2) In case of Credit Card/Debit Card account details get leaked. Protect your accounts with additional parameters like OTP, and 2FA.
3) Beware of Email Scammers or any Phishing attacks – After any such huge data leak, scammers try to dig more details from the consumers via fake sites or emails.
4) Use the m-Aadhaar app to lock your biometric – Aadhar has taken a brilliant initiative where someone can easily lock the biometric using the m-Aadhaar app, which will prevent any person to use your Aadhar number for verification
5) Be Vigilant – Keep a track of all your accounts and immediately report cases of any fraudulent activities.
In addition, to make the companies more resilient to a data breach, consumers can take a few of the above steps to protect themselves. Companies must make security a habit rather than a procedure. As a proactive approach, companies must establish meticulous standards in dealing with customer information. After all, “Prevention is always better than Cure”.