As the message of ‘Digital India’ is being penetrated deep into the psyche of Indians, the trend of using ‘money apps’ is slowly but gradually picking up. The market is now flooded with several digital wallets, online money transfer apps which makes the whole fashion of going to bank branches obsolete.
In the next few years, we may witness more and more Indians going digital, and more usage of these money apps to carry out transactions while sitting on a couch.
But, are these money apps secure?
A new research conducted at University of Florida has revealed some bitter truth regarding these new digital wallets and mobile money apps from developing countries: There exists severe safety issues with these apps.
Researchers Bradley Reaves, Nolen Scaife, Adam Bates, Patrick Traynor, Kevin R.B. Butler from University of Florida picked up 7 Android based mobile money apps which are capable of performing branchless banking operations. These apps have combined user base of millions from these developing countries: Brazil, India, Indonesia, Thailand, and the Philippines. These apps were selected after an automated analysis of all 46 known Android based money apps which are used across 246 known mobile money systems.
From India, three apps were selected: Oxigen Wallet, MoneyOnMobile and Airtel Money (not Airtel Money app, but the money transfer feature inside MyAirtel app); out of which Airtel Money and MoneyOnMobile were found to be having pathetic security protections, leaving users’ data vulnerable for frauds and scams.
Out of 7 apps tested, 6 had major security related issues.
Patrick Traynor, one of the computer science professors and author of the study, said, “It was worse than we expected,”.
Airtel Money Security Issue
Although researchers found the data within MyAirtel app encrypted, but the ‘key’ which they used was extremely easy to crack. The key is the series of numbers and letters which encode the given information and makes it safe. The scientists found that Airtel is using the same set of 8 numbers/letters followed by the user’s phone number and account number to encrypt the data, which makes it extremely easy for hackers to play with.
When contacted, Airtel representatives said, “We believe that our app meets the best industry standards and security practices,” , adding that the version which was tested was older and a new version of Airtel Money has been introduced which has better security features.
But then, why was the older version with security flaws even allowed to be downloaded, if it can lead to hacks and scams?
This research paper, which will be presented at USENIX security conference in Washington, has specifically said, “It is our belief that these applications create significant financial dangers for their users,”
MoneyOnMobile Security Risks
The money app MoneyOnMobile also has an encryption technique to safeguard users’ data, but again the way it’s implemented makes it vulnerable to attacks. Before encypting the information, the servers automatically send the sensitive user data to an unsecured server; which can be easily tampered with.
A representative of MoneyOnMobile said that the version which was tested by scientists has been expired on August 15th, and the newer version doesn’t encrypt data in a dangerous way.
Pretty lame excuse, considering that by the time a newer version would be installed, all data and money from the users’ account can disappear.
The report also mentioned that both Oxigen and MyAirtel apps used SMS based OTP verification method, which is quite ineffective for controlling brute force and other advanced hacking techniques. And, as per the terms and conditions of these apps, the user is liable for any loss or stolen money, unlike in the US where the company which is implementing security is responsible.
Earlier, we had reported how money is mysteriously disappearing from wallets of PayTm users & Mobikwik users for unauthorized pizza payments. At a time when RBI is increasing payment limits on digital wallets, users are able to book cabs, buy movie tickets, load money without having a bank account, purchase goods from offline retail, carry International transactions and more; this research about security flaws is certainly alarming.
You can find the entire report titled: “Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World” here.
[…] have repeatedly stated that using e-wallets of digital wallets in India is still insecure and full of security loopholes which can be exploited by hackers and anti-social […]