This article is more than 1 year old

Want branchless banking? Live in the developing world? Oops

Mo(bile) money, mo(bile) problems, says Florida team

Branchless banking apps targeted at customers in the developing world are rife with vulnerabilities, according to security researchers.

A study by computer scientists from the University of Florida focused on seven of the more high-profile apps, uncovering flaws that created a heightened risk of fraud as well as “unfair” terms of service.

The findings were based on a manual analysis of Airtel Money, Money-On-Mobile, Oxigen Wallet (all from in India); Thailand’s mPay, the Philippines' GCash, Brazil’s Zuum, and mCoin from Indonesia.

The five researchers – Bradley Reaves, Nolen Scaife, Adam Bates, Patrick Traynor and Kevin R.B. Butler – came to their unfavourable assessment after what's billed as the first comprehensive analysis of its type.

Smartphone apps provide an electronic payment infrastructure in the local absence of alternatives such as credit cards, and the technology provides much-needed financial services to the unbanked people in the developing world.

Although billed as a more secure option to cash, branchless banking apps are dangerously insecure, according to the team of five.

After carrying out an automated analysis of all 46 known Android mobile money apps across the 246 known mobile money sites, an exercise that "fails to provide reliable insights", the researchers turned towards a "comprehensive manual teardown of the registration, login, and transaction procedures of a diverse 15 per cent of these apps".

Mmmm, well, the results weren't pretty.

“We uncovered pervasive and systemic vulnerabilities spanning botched certification validation, do-it-yourself cryptography, and myriad other forms of information leakage that allow an attacker to impersonate legitimate users, modify transactions in flight, and steal financial records,” according to the University of Florida team.

“These findings confirm that the majority of these apps fail to provide the protections needed by financial services," they added.

Six of the seven apps were rated insecure with only Zuum, an app built by a partnership between MasterCard and Telefonica Brazil, judged as safe.

Some of the providers slighted by the study have hit back. Bharti Airtel told Mobile World Live that the researchers looked at its myairtel recharge app rather than Airtel Money app.

In any case, several improvement have been made to Airtel Money since the field work for the research was carried out in October 2014.

El Reg canvassed the providers criticised in the study for comment via email and Twitter, but none had replied at the time of going to press.

Next page: Liability shift

More about

TIP US OFF

Send us news


Other stories you might like