A Techcrunch article introduces Number 26 as ‘A Bank Designed For The 21st Century’, the German startup promised to fix the problems of European banking, backed with a German banking license and over $50 million in funding. So far so similar to a lot of other European fintech startups that aim to replace banks, including severe mobile app security vulnerabilities that risk their users’ trust and the wider project of modern banking.
In December, Vincent Haupert, a research fellow with the University of Erlangen-Numermberg, gave a presentation on the problems of the N26 app’s security infrastructure found doing mobile app security testing at the Chaos Communication Congress titled ‘Shut up and Take My Money! – The Red Pill of N26 Security’ (watch his presentation on the Chaos Computer Club website).
Headline findings saw that combining two-factor authentication on to one device has broken the 2FA paradigm and new authentication modes such as voice assistants open new channels of attacks.
Haupert used data from the Dropbox leak of 68 million account credentials matched against N26’s software feed to identify the credentials of 33,000 N26 users. The anti-fraud systems that N26 has in place, with claims for their top of the range capabilities, failed to detect the breach.
With these it would be simple to send a phishing email to trick the N26 users into giving access to their accounts. Haupert went on to show how he was able to gain control of their accounts, move money, and apply for an overdraft.
Haupert also covered how:
- N26 failed to use certificate pinning, making it easy to run a man-in-the-middle (MITM) attack
- to change the value of a transaction without triggering any alerts
- to use the Siri API to initiate 2000 transactions in 30 seconds
- going through password recovery broke the 2FA model
- N26’s was storing user contact details in plain text
N26 showed that it has the typical attitude of a lot of fintech companies, failing to design security into the app’s architecture, do proper mobile app security testing, or to pause to carve out a security budget from their astronomical funding. When Haupert got in touch with N26 their response was that it was more of a theoretical security vulnerability. N26 has prior form for security issues on the MasterCard card that Number 26 issues in 2016, such as the Man in the Middle attacked exposed by Christian Hawkins.
N26 is fortunate that Haupert is ethical, otherwise it might need the insurance provided by it’s German banking license.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.