Threat Category: Application-based
ID: PAY-3
Threat Description: Vulnerabilities in mobile banking applications could lead to information leakage, theft, or modification, as well as financial loss.
Threat Origin
The most dangerous code in the world: validating SSL certificates in non-browser software 1
Exploit Examples
Not Applicable
CVE Examples
Possible Countermeasures
Carefully weigh the risks of using 3rd party mobile banking apps over more mature technologies, such as online transactions via web browsers, which may undergo more rigorous evaluation and benefit from more rapid deployment of security updates.
Consider the use of pre-paid credit card services for payment apps to limit the potential financial harm an attacker can cause by placing charges against the linked account.
EnterpriseCarefully weigh the risks of using 3rd party mobile banking apps over more mature technologies, such as online transactions via web browsers, which may undergo more rigorous evaluation and benefit from more rapid deployment of security updates.
Consider the use of pre-paid credit card services for payment apps to limit the potential financial harm an attacker can cause by placing charges against the linked account.
References
M. Georgiev et al., “The most dangerous code in the world: validating SSL certificates in non-browser software”, in Proceedings of the 2012 ACM conference on Computer and communications security, 2012, pp. 38-49; http://dx.doi.org/10.1145/2382196.2382204 [accessed 8/24/2016] ↩