Gidley's Gossipings

A blog about not much really

N26

2017-01-04 Tech

There is a really good talk about some vulnerabilities found in the N26 banking app presented at the CCC congress this year.

<amp-iframe width=“1024” height=“360” sandbox=“allow-scripts allow-popups” layout=“responsive” frameborder=“0"src=“https://media.ccc.de/v/33c3-7969-shut_up_and_take_my_money/oembed" allowfullscreen>

The talk is worth a watch but it does highlight some key points

  • No Certificate Pinning was being used that made it easy for the research to MITM the app
    • that’s not to say Cert Pinning fixes all issues but doing it makes things a lot harder for attackers.
  • The API’s exposed to the web were far too verbose and didn’t really care about who was calling them
    • I think (shameless plug) that Application Hardening techniques for both web and mobile are going to be needed to secure these things long term. You need to ensure the code calling your API is what you think it is. This is where products like Irdeto’s Cloakware API Protection come in.
  • A lot of the exploit relied on coding/logic errors - but they were quite easy to exploit
    • API Protection techniques will mitigate when the (inevitable) mistakes in logic occur in your code and make it much harder to exploit
    • That’s not to say you shouldn’t also work on fixing the logic!
  • A number of the exploits relied on the engineers assuming ID were secret that were not (the ‘mastercard ID’ in this case)
    • This kind of assumption is quite common - if you think something is secret you should not just document it, but you need to have tests scanning logs/apis looking for that data occuring to ensure it’s actually still secret.
  • A good breach response helps you manage PR
    • This was a pretty bad breach for N26 - but they handled it well. In particular they engaged with the researcher constructively and they fixed the issues in a reasonable time period.
    • Many companies either ignore the issue or head straight for legal threats in these cases, this is a mistake as doing so will increase likelihood of it being publicised before you have fixed it.

I suggest watching the whole talk - it’s well presented and shows a great real world example of how MITM can ruin your day as a bank or fintech.