SlideShare a Scribd company logo

Compromising Mobile Banking Apps (Nakov @ DigiPay 2020)

Download as PPTX, PDF
Svetlin Nakov
Svetlin Nakov

Live Demo: Compromising Modern Online Banking Apps through Hijacking Android Device In this talk Dr. Svetlin Nakov will explain and demonstrate how easily a 10-years old child can gain full control over modern European online banking apps, through hijacking an Android mobile phone, using trivial remote administration tools and screen recording apps from the official Android app store. The speaker will demonstrate why online banking should not rely for the multi-factor authentication on a single connected device. Finally, the speaker will give recommendations for fixing the security in online banking systems. Dr. Svetlin Nakov (https://nakov.com) is a passionate software engineer, inspirational technical trainer and tech entrepreneur, with 20 years of experience in a broad range of programming languages, software technologies and platforms, applied cryptography and cybersecurity. He is an author of the "Practical Cryptography for Developers" book (https://cryptobook.nakov.com). Svetlin is co-founder of several highly successful tech startups and non-profit organizations. Currently, he is innovation and inspiration manager at SoftUni (https://softuni.org) - the largest tech education provider in South-Eastern Europe. Демонстрация на живо: компрометиране на онлайн банкиране чрез отвличане на Android телефон В тази демонстрация на живо д-р Светлин Наков ще обясни и демонстрира колко лесно 10-годишно дете може да получи пълен контрол над съвременните европейски приложения за онлайн банкиране, чрез отвличане на мобилен телефон с Android, използвайки тривиални инструменти за отдалечено администриране и приложения за запис на екрана от Android app store. Лекторът ще демонстрира защо онлайн банкирането не трябва да разчита на многофакторното удостоверяване на единично свързано устройство. Накрая ще бъдат дадени препоръки за подобряване на сигурността в системите за онлайн банкиране. Д-р Светлин Наков (https://nakov.com) е разпален софтуерен инженер, вдъхновяващ преподавател и технологичен предприемач, с 20-годишен опит в широк спектър от програмни езици, софтуерни технологии и платформи, приложна криптография и киберсигурност. Той е автор на книгата "Практическа криптография за разработчици" (https://cryptobook.nakov.com). Светлин е съосновател на няколко изключително успешни технологични стартиращи компании и нестопански организации. В момента той е мениджър по иновации и вдъхновение в SoftUni (https://softuni.org) - най-големият доставчик на технологично образование в Югоизточна Европа.

Education
1 of 21
Live Demo: Compromising Modern Online Banking Apps through Hijacking Android Device Compromising Mobile Banking Apps Svetlin Nakov, PhD Co-Founder, Innovation and Inspiration @ Software University (SoftUni) https://nakov.com Software University (SoftUni) – http://softuni.org
 Software engineer, trainer, entrepreneur, inspirer, PhD, author of 15+ technical books  3 successful tech educational initiatives (150,000+ students) About Dr. Svetlin Nakov 2
 Most modern baking apps are insecure!  Compromised smartphone == hacked mobile banking  Multi-factor authentication from single device == single-factor authentication!  First factor: username + password / PIN  Hacked smartphone provides all its passwords!  Second factor: OTP generator, implemented as mobile app  Controlled remotely by hackers!  Third factor: email or SMS confirmation (also hacked) Modern Baking Apps are Insecure! 3
 Physical access to the device  Attackers directly install remote control app / malware  No physical access  Attackers trick the user to install malware  Fake app in the app store / phishing / spoofing / other attack  Remote control the device (100% full access)  Collect credentials (passwords, PIN codes), impersonate the phone owner, perform everything the phone owner can perform Hijacking Android Mobile Phone 4
Warning!
1. Gain a physical access to the mobile device  E.g. Can you take a photo of me … Can I email myself the photo? Hijacking Android Mobile Phone – Example 6
2. Install TeamViewer Host from the official app store 3. Login in some TeamViewer account 4. Now the device is ready to connect Hijacking Android Mobile Phone – Example 7
Alternative: AnyDesk Remote Control 8
5. Hide app notifications (optionally)  This will make the remote control invisible for the phone owner Hijacking Android Mobile Phone – Example 9
Hijacking Android Mobile Phone – Example 10 6. Connect remotely with TeamViewer Remote Control  View the phone's screen and click on it remotely
7. Wait for the smartphone owner to unlock the device  Remember the screen lock pattern  Most smartphones use lock screen  Unlocking is done by screen swipe or with pattern or PIN or biometry Hijacking Android Mobile Phone – Example 11
Hijacking Android Mobile Phone – Example 12 8. View the saved passwords from the Web browser
 In some Android versions, apps may use Display.FLAG_SECURE to prevent screen capturing or recording  This may help only partially!  In Chrome passwords are invisible but can be copied to the clipboard!  Some screen recording apps bypass this "black screen" protection Some Apps Prevent Screen Capturing 13
Hijacking Android Mobile Phone – Example 14 9. Install a screen recorder to collect passwords and PIN codes through screencast videos
 Wait for the phone owner to login in the online banking  Or use a screen recorder  The username + password will be revealed Watching the Online Banking Passwords 15
Hijacking Android Mobile Phone – Example 16 9. Тhe mobile banking credentials can also be taken
10. Uninstall TeamViewer Host (hide your tracks, optionally) Hijacking Android Mobile Phone – Example 17
Fixing the Online Banking Security Recommendations and Best Practices
 Use hardware OTP generators  Use biometry to unlock the OTP generator (like Revolut) Fixing the Online Banking Security 19  Use Display.FLAG_SECURE in Android to disable screen capture in sensitive apps
 Recommendations for improved mobile device security  Beware of apps you install  avoid suspicious apps  Don't give your phone to anyone (e.g. to kids to play games)  Prefer biometry (fingerprint, face ID) to unlock the screen  iOS is generally more secure than Android  iOS does not support remote control (only remote view)  Use two-factor authentication with 2 separate devices (e.g. laptop + smartphone) Improving the Mobile Device Security 20
https://nakov.com Compromising Mobile Banking Apps

Recommended

Cybersecurity and Mobile Device Protection - Nakov at CareerShow (Sept 2019)
Cybersecurity and Mobile Device Protection - Nakov at CareerShow (Sept 2019)Cybersecurity and Mobile Device Protection - Nakov at CareerShow (Sept 2019)
Cybersecurity and Mobile Device Protection - Nakov at CareerShow (Sept 2019)
Svetlin Nakov
 
Smartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsSmartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkits
Jimmy Shah
 
Mobile security
Mobile securityMobile security
Mobile security
Naveen Kumar
 
16 tips to thwart mobile security threats
16 tips to thwart mobile security threats16 tips to thwart mobile security threats
16 tips to thwart mobile security threats
John Gibson
 
Mobile protection
Mobile protection Mobile protection
Mobile protection
preetpatel72
 
Smartphone security
Smartphone securitySmartphone security
Smartphone security
Manish Gupta
 
How to find a violation on the mobile device?
How to find a violation on the mobile device?How to find a violation on the mobile device?
How to find a violation on the mobile device?
Sphere Soc
 
Mobile security by Tajwar khan
Mobile security by Tajwar khanMobile security by Tajwar khan
Mobile security by Tajwar khan
Tajwar khan
 

Recommended

Cybersecurity and Mobile Device Protection - Nakov at CareerShow (Sept 2019)
Cybersecurity and Mobile Device Protection - Nakov at CareerShow (Sept 2019)Cybersecurity and Mobile Device Protection - Nakov at CareerShow (Sept 2019)
Cybersecurity and Mobile Device Protection - Nakov at CareerShow (Sept 2019)
Svetlin Nakov
 
Smartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsSmartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkits
Jimmy Shah
 
Mobile security
Mobile securityMobile security
Mobile security
Naveen Kumar
 
16 tips to thwart mobile security threats
16 tips to thwart mobile security threats16 tips to thwart mobile security threats
16 tips to thwart mobile security threats
John Gibson
 
Mobile protection
Mobile protection Mobile protection
Mobile protection
preetpatel72
 
Smartphone security
Smartphone securitySmartphone security
Smartphone security
Manish Gupta
 
How to find a violation on the mobile device?
How to find a violation on the mobile device?How to find a violation on the mobile device?
How to find a violation on the mobile device?
Sphere Soc
 
Mobile security by Tajwar khan
Mobile security by Tajwar khanMobile security by Tajwar khan
Mobile security by Tajwar khan
Tajwar khan
 
Protect your Oneplus from Viruses Around the Web
Protect your Oneplus from Viruses Around the WebProtect your Oneplus from Viruses Around the Web
Protect your Oneplus from Viruses Around the Web
Wireless Solutions NY
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
MarketingArrowECS_CZ
 
Him
HimHim
HimHimanshu Kumar Paswan
 
Smartphone security
Smartphone securitySmartphone security
Smartphone security
Muthu Kumar
 
8 steps to smartphone security for android
8 steps to smartphone security for android8 steps to smartphone security for android
8 steps to smartphone security for android
iYogi
 
Internet PC Security by Khalil Jubran Mindspring Networks
Internet PC Security by Khalil Jubran Mindspring Networks Internet PC Security by Khalil Jubran Mindspring Networks
Internet PC Security by Khalil Jubran Mindspring Networks
Khalil Jubran
 
15 Tips to Protect Yourself from Cyber Attacks
15 Tips to Protect Yourself from Cyber Attacks15 Tips to Protect Yourself from Cyber Attacks
15 Tips to Protect Yourself from Cyber Attacks
The eCore Group
 
Mobile security
Mobile securityMobile security
Mobile security
Mphasis
 
Fonetastic ppt
Fonetastic pptFonetastic ppt
Fonetastic ppt
SUHITA MAZUMDAR
 
Computer based crime
Computer based crimeComputer based crime
Computer based crime
Taylor_Marie
 
Your smartphone can help protect itself – and
Your smartphone can help protect itself – andYour smartphone can help protect itself – and
Your smartphone can help protect itself – andRandyBett
 
Antivirus
AntivirusAntivirus
Antivirusyuvan80
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
Abhishek L.R
 
No Website Left Behind: Are We Making Web Security Only for the Elite?
No Website Left Behind: Are We Making Web Security Only for the Elite?No Website Left Behind: Are We Making Web Security Only for the Elite?
No Website Left Behind: Are We Making Web Security Only for the Elite?
Terri Oda
 
Internet security 2016
Internet security 2016Internet security 2016
Internet security 2016
rachid Barro
 
Why you need antivirus protection on your smartphone
Why you need antivirus protection on your smartphoneWhy you need antivirus protection on your smartphone
Why you need antivirus protection on your smartphone
Brian Gongol
 
Smartphone
SmartphoneSmartphone
Smartphone
Naval OPSEC
 
Mobile security
Mobile securityMobile security
Mobile security
dilipdubey5
 
Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data Secure
Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data SecureSmartphone Security Guide: The Easiest Way to Keep Your Phone & Data Secure
Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data Secure
Heimdal Security
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile Security
Michael Davis
 
Tips of Mobile Application Security
Tips of Mobile Application SecurityTips of Mobile Application Security
Tips of Mobile Application Security
Marie Weaver
 
Your Shortcut to BYOD Success
Your Shortcut to BYOD SuccessYour Shortcut to BYOD Success
Your Shortcut to BYOD Success
Sierraware
 

More Related Content

What's hot

Protect your Oneplus from Viruses Around the Web
Protect your Oneplus from Viruses Around the WebProtect your Oneplus from Viruses Around the Web
Protect your Oneplus from Viruses Around the Web
Wireless Solutions NY
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
MarketingArrowECS_CZ
 
Smartphone security
Smartphone securitySmartphone security
Smartphone security
Muthu Kumar
 
8 steps to smartphone security for android
8 steps to smartphone security for android8 steps to smartphone security for android
8 steps to smartphone security for android
iYogi
 
Internet PC Security by Khalil Jubran Mindspring Networks
Internet PC Security by Khalil Jubran Mindspring Networks Internet PC Security by Khalil Jubran Mindspring Networks
Internet PC Security by Khalil Jubran Mindspring Networks
Khalil Jubran
 
15 Tips to Protect Yourself from Cyber Attacks
15 Tips to Protect Yourself from Cyber Attacks15 Tips to Protect Yourself from Cyber Attacks
15 Tips to Protect Yourself from Cyber Attacks
The eCore Group
 
Mobile security
Mobile securityMobile security
Mobile security
Mphasis
 
Fonetastic ppt
Fonetastic pptFonetastic ppt
Fonetastic ppt
SUHITA MAZUMDAR
 
Computer based crime
Computer based crimeComputer based crime
Computer based crime
Taylor_Marie
 
Your smartphone can help protect itself – and
Your smartphone can help protect itself – andYour smartphone can help protect itself – and
Your smartphone can help protect itself – andRandyBett
 
Antivirus
AntivirusAntivirus
Antivirusyuvan80
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
Abhishek L.R
 
No Website Left Behind: Are We Making Web Security Only for the Elite?
No Website Left Behind: Are We Making Web Security Only for the Elite?No Website Left Behind: Are We Making Web Security Only for the Elite?
No Website Left Behind: Are We Making Web Security Only for the Elite?
Terri Oda
 
Internet security 2016
Internet security 2016Internet security 2016
Internet security 2016
rachid Barro
 
Why you need antivirus protection on your smartphone
Why you need antivirus protection on your smartphoneWhy you need antivirus protection on your smartphone
Why you need antivirus protection on your smartphone
Brian Gongol
 
Smartphone
SmartphoneSmartphone
Smartphone
Naval OPSEC
 
Mobile security
Mobile securityMobile security
Mobile security
dilipdubey5
 

What's hot (18)

Protect your Oneplus from Viruses Around the Web
Protect your Oneplus from Viruses Around the WebProtect your Oneplus from Viruses Around the Web
Protect your Oneplus from Viruses Around the Web
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Him
HimHim
Him
 
Smartphone security
Smartphone securitySmartphone security
Smartphone security
 
8 steps to smartphone security for android
8 steps to smartphone security for android8 steps to smartphone security for android
8 steps to smartphone security for android
 
Internet PC Security by Khalil Jubran Mindspring Networks
Internet PC Security by Khalil Jubran Mindspring Networks Internet PC Security by Khalil Jubran Mindspring Networks
Internet PC Security by Khalil Jubran Mindspring Networks
 
15 Tips to Protect Yourself from Cyber Attacks
15 Tips to Protect Yourself from Cyber Attacks15 Tips to Protect Yourself from Cyber Attacks
15 Tips to Protect Yourself from Cyber Attacks
 
Mobile security
Mobile securityMobile security
Mobile security
 
Fonetastic ppt
Fonetastic pptFonetastic ppt
Fonetastic ppt
 
Computer based crime
Computer based crimeComputer based crime
Computer based crime
 
Your smartphone can help protect itself – and
Your smartphone can help protect itself – andYour smartphone can help protect itself – and
Your smartphone can help protect itself – and
 
Antivirus
AntivirusAntivirus
Antivirus
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
No Website Left Behind: Are We Making Web Security Only for the Elite?
No Website Left Behind: Are We Making Web Security Only for the Elite?No Website Left Behind: Are We Making Web Security Only for the Elite?
No Website Left Behind: Are We Making Web Security Only for the Elite?
 
Internet security 2016
Internet security 2016Internet security 2016
Internet security 2016
 
Why you need antivirus protection on your smartphone
Why you need antivirus protection on your smartphoneWhy you need antivirus protection on your smartphone
Why you need antivirus protection on your smartphone
 
Smartphone
SmartphoneSmartphone
Smartphone
 
Mobile security
Mobile securityMobile security
Mobile security
 

Similar to Compromising Mobile Banking Apps (Nakov @ DigiPay 2020)

Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data Secure
Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data SecureSmartphone Security Guide: The Easiest Way to Keep Your Phone & Data Secure
Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data Secure
Heimdal Security
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile Security
Michael Davis
 
Tips of Mobile Application Security
Tips of Mobile Application SecurityTips of Mobile Application Security
Tips of Mobile Application Security
Marie Weaver
 
Your Shortcut to BYOD Success
Your Shortcut to BYOD SuccessYour Shortcut to BYOD Success
Your Shortcut to BYOD Success
Sierraware
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
Jack Mannino
 
BETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSBETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSPurna Bhat
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?Tyler Shields
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
Subho Halder
 
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkSecuring Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Security
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis
 
How to Secure Your Mobile Commerce App.pdf
How to Secure Your Mobile Commerce App.pdfHow to Secure Your Mobile Commerce App.pdf
How to Secure Your Mobile Commerce App.pdf
OZONESOFT Solutions
 
HinDroid
HinDroidHinDroid
HinDroid
HinDroid
 
Mobile app security
Mobile app securityMobile app security
Mobile app security
whitecryption
 
Safety of my biometric data
Safety of my biometric dataSafety of my biometric data
Safety of my biometric data
nishiyath
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields
 
Smartphone Smart Card 061013
Smartphone Smart Card 061013Smartphone Smart Card 061013
Smartphone Smart Card 061013
McAlester Army Ammunition Plant
 
The 10 Commandments Security Of Mobile App Development
The 10 Commandments Security Of Mobile App DevelopmentThe 10 Commandments Security Of Mobile App Development
The 10 Commandments Security Of Mobile App Development
Mobio Solutions
 
Mobile App Security Protecting Your App from Cyber Threats.edited.docx
Mobile App Security Protecting Your App from Cyber Threats.edited.docxMobile App Security Protecting Your App from Cyber Threats.edited.docx
Mobile App Security Protecting Your App from Cyber Threats.edited.docx
madhuri871014
 
Tips and Tricks on Securing your Android Devices
Tips and Tricks on Securing your Android DevicesTips and Tricks on Securing your Android Devices
Tips and Tricks on Securing your Android Devices
Quick Heal Technologies Ltd.
 

Similar to Compromising Mobile Banking Apps (Nakov @ DigiPay 2020) (20)

Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data Secure
Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data SecureSmartphone Security Guide: The Easiest Way to Keep Your Phone & Data Secure
Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data Secure
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile Security
 
Tips of Mobile Application Security
Tips of Mobile Application SecurityTips of Mobile Application Security
Tips of Mobile Application Security
 
Your Shortcut to BYOD Success
Your Shortcut to BYOD SuccessYour Shortcut to BYOD Success
Your Shortcut to BYOD Success
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 
BETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSBETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoS
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
OS-Project-Report-Team-8
OS-Project-Report-Team-8OS-Project-Report-Team-8
OS-Project-Report-Team-8
 
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkSecuring Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
How to Secure Your Mobile Commerce App.pdf
How to Secure Your Mobile Commerce App.pdfHow to Secure Your Mobile Commerce App.pdf
How to Secure Your Mobile Commerce App.pdf
 
HinDroid
HinDroidHinDroid
HinDroid
 
Mobile app security
Mobile app securityMobile app security
Mobile app security
 
Safety of my biometric data
Safety of my biometric dataSafety of my biometric data
Safety of my biometric data
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
 
Smartphone Smart Card 061013
Smartphone Smart Card 061013Smartphone Smart Card 061013
Smartphone Smart Card 061013
 
The 10 Commandments Security Of Mobile App Development
The 10 Commandments Security Of Mobile App DevelopmentThe 10 Commandments Security Of Mobile App Development
The 10 Commandments Security Of Mobile App Development
 
Mobile App Security Protecting Your App from Cyber Threats.edited.docx
Mobile App Security Protecting Your App from Cyber Threats.edited.docxMobile App Security Protecting Your App from Cyber Threats.edited.docx
Mobile App Security Protecting Your App from Cyber Threats.edited.docx
 
Tips and Tricks on Securing your Android Devices
Tips and Tricks on Securing your Android DevicesTips and Tricks on Securing your Android Devices
Tips and Tricks on Securing your Android Devices
 

More from Svetlin Nakov

Най-търсените направления в ИТ сферата за 2024
Най-търсените направления в ИТ сферата за 2024Най-търсените направления в ИТ сферата за 2024
Най-търсените направления в ИТ сферата за 2024
Svetlin Nakov
 
BG-IT-Edu: отворено учебно съдържание за ИТ учители
BG-IT-Edu: отворено учебно съдържание за ИТ учителиBG-IT-Edu: отворено учебно съдържание за ИТ учители
BG-IT-Edu: отворено учебно съдържание за ИТ учители
Svetlin Nakov
 
Programming World in 2024
Programming World in 2024Programming World in 2024
Programming World in 2024
Svetlin Nakov
 
AI Tools for Business and Startups
AI Tools for Business and StartupsAI Tools for Business and Startups
AI Tools for Business and Startups
Svetlin Nakov
 
AI Tools for Scientists - Nakov (Oct 2023)
AI Tools for Scientists - Nakov (Oct 2023)AI Tools for Scientists - Nakov (Oct 2023)
AI Tools for Scientists - Nakov (Oct 2023)
Svetlin Nakov
 
AI Tools for Entrepreneurs
AI Tools for EntrepreneursAI Tools for Entrepreneurs
AI Tools for Entrepreneurs
Svetlin Nakov
 
Bulgarian Tech Industry - Nakov at Dev.BG All in One Conference 2023
Bulgarian Tech Industry - Nakov at Dev.BG All in One Conference 2023Bulgarian Tech Industry - Nakov at Dev.BG All in One Conference 2023
Bulgarian Tech Industry - Nakov at Dev.BG All in One Conference 2023
Svetlin Nakov
 
AI Tools for Business and Personal Life
AI Tools for Business and Personal LifeAI Tools for Business and Personal Life
AI Tools for Business and Personal Life
Svetlin Nakov
 
Дипломна работа: учебно съдържание по ООП - Светлин Наков
Дипломна работа: учебно съдържание по ООП - Светлин НаковДипломна работа: учебно съдържание по ООП - Светлин Наков
Дипломна работа: учебно съдържание по ООП - Светлин Наков
Svetlin Nakov
 
Дипломна работа: учебно съдържание по ООП
Дипломна работа: учебно съдържание по ООПДипломна работа: учебно съдържание по ООП
Дипломна работа: учебно съдържание по ООП
Svetlin Nakov
 
Свободно ИТ учебно съдържание за учители по програмиране и ИТ
Свободно ИТ учебно съдържание за учители по програмиране и ИТСвободно ИТ учебно съдържание за учители по програмиране и ИТ
Свободно ИТ учебно съдържание за учители по програмиране и ИТ
Svetlin Nakov
 
AI and the Professions of the Future
AI and the Professions of the FutureAI and the Professions of the Future
AI and the Professions of the Future
Svetlin Nakov
 
Programming Languages Trends for 2023
Programming Languages Trends for 2023Programming Languages Trends for 2023
Programming Languages Trends for 2023
Svetlin Nakov
 
IT Professions and How to Become a Developer
IT Professions and How to Become a DeveloperIT Professions and How to Become a Developer
IT Professions and How to Become a Developer
Svetlin Nakov
 
GitHub Actions (Nakov at RuseConf, Sept 2022)
GitHub Actions (Nakov at RuseConf, Sept 2022)GitHub Actions (Nakov at RuseConf, Sept 2022)
GitHub Actions (Nakov at RuseConf, Sept 2022)
Svetlin Nakov
 
IT Professions and Their Future
IT Professions and Their FutureIT Professions and Their Future
IT Professions and Their Future
Svetlin Nakov
 
How to Become a QA Engineer and Start a Job
How to Become a QA Engineer and Start a JobHow to Become a QA Engineer and Start a Job
How to Become a QA Engineer and Start a Job
Svetlin Nakov
 
Призвание и цели: моята рецепта
Призвание и цели: моята рецептаПризвание и цели: моята рецепта
Призвание и цели: моята рецепта
Svetlin Nakov
 
What Mongolian IT Industry Can Learn from Bulgaria?
What Mongolian IT Industry Can Learn from Bulgaria?What Mongolian IT Industry Can Learn from Bulgaria?
What Mongolian IT Industry Can Learn from Bulgaria?
Svetlin Nakov
 
How to Become a Software Developer - Nakov in Mongolia (Oct 2022)
How to Become a Software Developer - Nakov in Mongolia (Oct 2022)How to Become a Software Developer - Nakov in Mongolia (Oct 2022)
How to Become a Software Developer - Nakov in Mongolia (Oct 2022)
Svetlin Nakov
 

More from Svetlin Nakov (20)

Най-търсените направления в ИТ сферата за 2024
Най-търсените направления в ИТ сферата за 2024Най-търсените направления в ИТ сферата за 2024
Най-търсените направления в ИТ сферата за 2024
 
BG-IT-Edu: отворено учебно съдържание за ИТ учители
BG-IT-Edu: отворено учебно съдържание за ИТ учителиBG-IT-Edu: отворено учебно съдържание за ИТ учители
BG-IT-Edu: отворено учебно съдържание за ИТ учители
 
Programming World in 2024
Programming World in 2024Programming World in 2024
Programming World in 2024
 
AI Tools for Business and Startups
AI Tools for Business and StartupsAI Tools for Business and Startups
AI Tools for Business and Startups
 
AI Tools for Scientists - Nakov (Oct 2023)
AI Tools for Scientists - Nakov (Oct 2023)AI Tools for Scientists - Nakov (Oct 2023)
AI Tools for Scientists - Nakov (Oct 2023)
 
AI Tools for Entrepreneurs
AI Tools for EntrepreneursAI Tools for Entrepreneurs
AI Tools for Entrepreneurs
 
Bulgarian Tech Industry - Nakov at Dev.BG All in One Conference 2023
Bulgarian Tech Industry - Nakov at Dev.BG All in One Conference 2023Bulgarian Tech Industry - Nakov at Dev.BG All in One Conference 2023
Bulgarian Tech Industry - Nakov at Dev.BG All in One Conference 2023
 
AI Tools for Business and Personal Life
AI Tools for Business and Personal LifeAI Tools for Business and Personal Life
AI Tools for Business and Personal Life
 
Дипломна работа: учебно съдържание по ООП - Светлин Наков
Дипломна работа: учебно съдържание по ООП - Светлин НаковДипломна работа: учебно съдържание по ООП - Светлин Наков
Дипломна работа: учебно съдържание по ООП - Светлин Наков
 
Дипломна работа: учебно съдържание по ООП
Дипломна работа: учебно съдържание по ООПДипломна работа: учебно съдържание по ООП
Дипломна работа: учебно съдържание по ООП
 
Свободно ИТ учебно съдържание за учители по програмиране и ИТ
Свободно ИТ учебно съдържание за учители по програмиране и ИТСвободно ИТ учебно съдържание за учители по програмиране и ИТ
Свободно ИТ учебно съдържание за учители по програмиране и ИТ
 
AI and the Professions of the Future
AI and the Professions of the FutureAI and the Professions of the Future
AI and the Professions of the Future
 
Programming Languages Trends for 2023
Programming Languages Trends for 2023Programming Languages Trends for 2023
Programming Languages Trends for 2023
 
IT Professions and How to Become a Developer
IT Professions and How to Become a DeveloperIT Professions and How to Become a Developer
IT Professions and How to Become a Developer
 
GitHub Actions (Nakov at RuseConf, Sept 2022)
GitHub Actions (Nakov at RuseConf, Sept 2022)GitHub Actions (Nakov at RuseConf, Sept 2022)
GitHub Actions (Nakov at RuseConf, Sept 2022)
 
IT Professions and Their Future
IT Professions and Their FutureIT Professions and Their Future
IT Professions and Their Future
 
How to Become a QA Engineer and Start a Job
How to Become a QA Engineer and Start a JobHow to Become a QA Engineer and Start a Job
How to Become a QA Engineer and Start a Job
 
Призвание и цели: моята рецепта
Призвание и цели: моята рецептаПризвание и цели: моята рецепта
Призвание и цели: моята рецепта
 
What Mongolian IT Industry Can Learn from Bulgaria?
What Mongolian IT Industry Can Learn from Bulgaria?What Mongolian IT Industry Can Learn from Bulgaria?
What Mongolian IT Industry Can Learn from Bulgaria?
 
How to Become a Software Developer - Nakov in Mongolia (Oct 2022)
How to Become a Software Developer - Nakov in Mongolia (Oct 2022)How to Become a Software Developer - Nakov in Mongolia (Oct 2022)
How to Become a Software Developer - Nakov in Mongolia (Oct 2022)
 

Recently uploaded

A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
Peter Windle
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
Celine George
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Dr. Vinod Kumar Kanvaria
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama UniversityNatural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Akanksha trivedi rama nursing college kanpur.
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
Celine George
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
S1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptxS1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptx
tarandeep35
 
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptxChapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
JosvitaDsouza2
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
David Douglas School District
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
Ashokrao Mane college of Pharmacy Peth-Vadgaon
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Levi Shapiro
 
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBCSTRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
kimdan468
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
Delapenabediema
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
heathfieldcps1
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
SACHIN R KONDAGURI
 
Advantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO PerspectiveAdvantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO Perspective
Krisztián Száraz
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
DeeptiGupta154
 

Recently uploaded (20)

A Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in EducationA Strategic Approach: GenAI in Education
A Strategic Approach: GenAI in Education
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama UniversityNatural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
S1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptxS1-Introduction-Biopesticides in ICM.pptx
S1-Introduction-Biopesticides in ICM.pptx
 
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptxChapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
 
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBCSTRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
 
Advantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO PerspectiveAdvantages and Disadvantages of CMS from an SEO Perspective
Advantages and Disadvantages of CMS from an SEO Perspective
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 

Compromising Mobile Banking Apps (Nakov @ DigiPay 2020)

  • 1. Live Demo: Compromising Modern Online Banking Apps through Hijacking Android Device Compromising Mobile Banking Apps Svetlin Nakov, PhD Co-Founder, Innovation and Inspiration @ Software University (SoftUni) https://nakov.com Software University (SoftUni) – http://softuni.org
  • 2.  Software engineer, trainer, entrepreneur, inspirer, PhD, author of 15+ technical books  3 successful tech educational initiatives (150,000+ students) About Dr. Svetlin Nakov 2
  • 3.  Most modern baking apps are insecure!  Compromised smartphone == hacked mobile banking  Multi-factor authentication from single device == single-factor authentication!  First factor: username + password / PIN  Hacked smartphone provides all its passwords!  Second factor: OTP generator, implemented as mobile app  Controlled remotely by hackers!  Third factor: email or SMS confirmation (also hacked) Modern Baking Apps are Insecure! 3
  • 4.  Physical access to the device  Attackers directly install remote control app / malware  No physical access  Attackers trick the user to install malware  Fake app in the app store / phishing / spoofing / other attack  Remote control the device (100% full access)  Collect credentials (passwords, PIN codes), impersonate the phone owner, perform everything the phone owner can perform Hijacking Android Mobile Phone 4
  • 6. 1. Gain a physical access to the mobile device  E.g. Can you take a photo of me … Can I email myself the photo? Hijacking Android Mobile Phone – Example 6
  • 7. 2. Install TeamViewer Host from the official app store 3. Login in some TeamViewer account 4. Now the device is ready to connect Hijacking Android Mobile Phone – Example 7
  • 9. 5. Hide app notifications (optionally)  This will make the remote control invisible for the phone owner Hijacking Android Mobile Phone – Example 9
  • 10. Hijacking Android Mobile Phone – Example 10 6. Connect remotely with TeamViewer Remote Control  View the phone's screen and click on it remotely
  • 11. 7. Wait for the smartphone owner to unlock the device  Remember the screen lock pattern  Most smartphones use lock screen  Unlocking is done by screen swipe or with pattern or PIN or biometry Hijacking Android Mobile Phone – Example 11
  • 12. Hijacking Android Mobile Phone – Example 12 8. View the saved passwords from the Web browser
  • 13.  In some Android versions, apps may use Display.FLAG_SECURE to prevent screen capturing or recording  This may help only partially!  In Chrome passwords are invisible but can be copied to the clipboard!  Some screen recording apps bypass this "black screen" protection Some Apps Prevent Screen Capturing 13
  • 14. Hijacking Android Mobile Phone – Example 14 9. Install a screen recorder to collect passwords and PIN codes through screencast videos
  • 15.  Wait for the phone owner to login in the online banking  Or use a screen recorder  The username + password will be revealed Watching the Online Banking Passwords 15
  • 16. Hijacking Android Mobile Phone – Example 16 9. Тhe mobile banking credentials can also be taken
  • 17. 10. Uninstall TeamViewer Host (hide your tracks, optionally) Hijacking Android Mobile Phone – Example 17
  • 18. Fixing the Online Banking Security Recommendations and Best Practices
  • 19.  Use hardware OTP generators  Use biometry to unlock the OTP generator (like Revolut) Fixing the Online Banking Security 19  Use Display.FLAG_SECURE in Android to disable screen capture in sensitive apps
  • 20.  Recommendations for improved mobile device security  Beware of apps you install  avoid suspicious apps  Don't give your phone to anyone (e.g. to kids to play games)  Prefer biometry (fingerprint, face ID) to unlock the screen  iOS is generally more secure than Android  iOS does not support remote control (only remote view)  Use two-factor authentication with 2 separate devices (e.g. laptop + smartphone) Improving the Mobile Device Security 20