More Web Proxy on the site http://driver.im/

research-article

The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian case study

Authors:

Marcus Botacin,

Anatoli Kalysch,

André GrégioAuthors Info & Claims

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

Article No.: 49, Pages 1 - 10

https://doi.org/10.1145/3339252.3340103

Published: 26 August 2019 Publication History

Abstract

Internet Banking have become the primary way of accessing banking services for most customers, but its security is still a constant concern, since million dollars are still lost every year due to frauds. Over time, banks and customers overcome the initial technology distrust and learned how to secure their operations. However, there are still many lessons to learn, mainly when looking to the upcoming technological developments. To understand the lessons learned over time and also to help shedding light on possible future developments, we review the past and the present of internet banking implementations in Brazil, a country widely adopting this type of service and an early adopter of new banking technologies, thus targeted by many threats. We show how Internet banking evolved from desktop software to mobile apps and how attackers also evolved from phishing mails to complete phishing applications to target Brazilian users. We also performed a detailed security analysis of Brazilian banking apps available in the Android app store and identified that developers still fail to follow secure development practices, thus causing banking apps to leak user's sensitive data. Moreover, we also looked to the future to present new attacks which can threat users in a short-term. In particular, we demonstrate an attack against a Whatsapp-based transaction mechanism implemented by some Brazilian banks

References

[1]

Mousa Albashrawi and Luvai Motiwalla. 2017. Understanding Mobile Banking Usage: An Integrative Perspective. In SIGMIS-CPR. ACM.

Digital Library

[2]

Abeer AlJarrah and Mohamed Shehab. 2016. Maintaining user interface integrity on Android. In IEEE 40th Annual COMPSAC, Vol. 1. 449--458.

[3]

Amin. 2016. A Survey of Financial Losses Due to Malware. In ICTCS. ACM.

Digital Library

[4]

Yair Amit. 2016. Accessibility Clickjacking -- Android Malware Evolution. (2016). https://tinyurl.com/y3vq8fh5, access: 11/Aug./2018.

[5]

bnamericas. 2015. Claro Brasil launches plan with 'free' WhatsApp, Facebook and Twitter. https://tinyurl.com/yyl26rtj. (2015).

[6]

Pew Research Center. 2013. 51% of U.S. Adults Bank Online. https://tinyurl.com/y6ja3sgn. (2013).

[7]

Sen Chen, Ting Su, Lingling Fan, Guozhu Meng, Minhui Xue, Yang Liu, and Lihua Xu. Are Mobile Banking Apps Secure? What Can Be Improved?. In ACM Joint Meeting on ESE Conf. Symp. Foundations of SE. 797--802.

Digital Library

[8]

Rafael Junio da Cruz e Diego Aranha. 2016. Analise de seguranca em aplicativos bancarios na plataforma Android. In SBSeg, SBC.

[9]

Bove Davide and Kalysch Anatoli. 2019. itit. Chapter In pursuit of a secure UI: The cycle of breaking and fixing Android's UI. https://tinyurl.com/y45wn5s8

[10]

Folha de São Paulo. 2018. Quatro maiores bancos concentram 78,5% do crédito, diz BC. https://tinyurl.com/yxz4o6un. (2018).

[11]

Banco do Brasil. 2013. Internet Banking - Módulo de Segurança. https://tinyurl.com/y3s5upth. (2013).

[12]

Gazeta do Povo. 2013. Pesquisa mostra que 77% dos brasileiros já usam cartão de crédito. https://tinyurl.com/y3fdgobn. (2013).

[13]

Stephen Doherty and Nikolaos Tsapakis. 2015. Analysis of malware targeting the Boleto payment system. (2015). ://tinyurl.com/yy2jtedr.

[14]

European Commission. 2015. Payment services (PSD2) -- Directive (EU) 2015/2366. (2015). https://tinyurl.com/y2wnagmx.

[15]

European Commission. 2018. COMMISSION DELEGATED REGULATION (EU) 2018/389. (2018). https://tinyurl.com/y2tlh6cz.

[16]

Exame. 2018. Bradesco permite consulta de saldo via WhatsApp. https://tinyurl.com/yxbweypm. (2018).

[17]

FDIC. 2016. A Bank Costumer's Guide to CyberSecurity. https://tinyurl.com/y2ozvuma. (2016).

[18]

Forbes. 2018. Brazilian Fintech Nubank Launches Debit Card To Reach 120M Clients. https://tinyurl.com/y9vc3ndw. (2018).

[19]

Forbes. 2018. Nubank: Driving Financial Services Competition In Brazil. https://tinyurl.com/y5k5c5py. (2018).

[20]

Yanick Fratantonio, Chenxiong Qian, Simon P Chung, and Wenke Lee. 2017. Cloak and Dagger: from two permissions to complete control of the UI feedback loop. In S&P. IEEE.

[21]

G1. 2014. Banco do Brasil desliga integração com Facebook após reclamação. https://tinyurl.com/y46ovj3z. (2014).

[22]

Amitava Ghosh, Sourya Joyee De, and Ambuj Mahanti. 2014. A Mobile Banking Model in the Cloud for Financial Inclusion in India. In ACM Int. Conf. Design of Comm.

Digital Library

[23]

Ishita Ghosh. 2012. The Mobile Phone As a Link to Formal Financial Services: Findings from Uganda. In Int. Conf. Inf. and Comm. Tech. and Dev. ACM.

Digital Library

[24]

Dan Goodin. 2018. New Android Malware with never before seen spying capabilities. (2018). https://tinyurl.com/y46hezkq, accessed on 17. August 2018.

[25]

André Ricardo A. Grégio, Dario Simões Fernandes, Vitor Monte Afonso, Paulo Lício de Geus, Victor Furuse Martins, and Mario Jino. 2013. An Empirical Analysis of Malicious Internet Banking Software Behavior. In SAC. ACM.

Digital Library

[26]

Guardian. 2015. So you think you're safe doing internet banking? https://tinyurl.com/yxmskmlo. (2015).

[27]

Guardian. 2018. UK bank customers lost £500m to scams in first half of 2018. https://tinyurl.com/yyg4vlfh. (2018).

[28]

Vincent Haupert and Stephan Gabert. 2019. Short Paper: How to Attack PSD2 Internet Banking. In 23rd Intl. Conf. on Financial Cryptography and Data Security.

[29]

Vincent Haupert, Dominik Maier, and Tilo Müller. 2017. Paying the Price for Disruption: How a FinTech Allowed Account Takeover. In ROOTS. ACM.

Digital Library

[30]

Vincent Haupert, Dominik Maier, Nicolas Schneider, Julian Kirsch, and Tilo Müller. 2018. Honey, I Shrunk Your App Security: The State of Android App Hardening. In DIMVA.

[31]

Vincent Haupert and Tilo Müller. 2018. On App-based Matrix Code Authentication in Online Banking. In ICISSP. 149--160.

[32]

IDGNow. 2018. Mais de 58 milhões brasileiros acessam Internet apenas pelo celular. https://tinyurl.com/y69qgo3l. (2018).

[33]

Yeongjin Jang, Chengyu Song, Simon P Chung, Tielei Wang, and Wenke Lee. 2014. A11y attacks: Exploiting accessibility in operating systems. In ACM CCS.

Digital Library

[34]

Anatoli Kalysch, Davide Bove, and Tilo Müller. 2018. How Android's UI Security is Undermined by Accessibility. In ROOTS. ACM.

Digital Library

[35]

Kaspersky. 2018. Cloning chip-and-PIN cards: Brazilian job. https://tinyurl.com/yc6sw5v5. (2018).

[36]

Swati Khandelwal. 2017. Ransomware Not Just Encrypts Your Android But Also Changes PIN Lock. (2017). https://tinyurl.com/ydxm3nsm, access: 20/Aug./2018.

[37]

Joshua Kraunelis, Yinjie Chen, Zhen Ling, Xinwen Fu, and Wei Zhao. 2013. On malware leveraging the Android accessibility framework. In International Conference on Mobile and Ubiquitous Systems: Computing, Networking, and Services.

[38]

Andreas Kurtz. 2011. Shooting the Messenger. https://tinyurl.com/yxt79zgq. (2011).

[39]

Shujun Li, S. Amier Haider Shah, M. Asad Usman Khan, Syed Ali Khayam, Ahmad-Reza Sadeghi, and Roland Schmitz. 2010. Breaking e-Banking CAPTCHAs. In Proceedings of the 26th Annual Computer Security Applications Conference. ACM.

Digital Library

[40]

MiamiHerald. 2016. Brazil's hackers win the gold in credit card crime. https://www.miamiherald.com/news/nation-world/world/article93939247.html. (2016).

[41]

MundoMarketing. 2016. 76% dos brasileiros usam internet banking, aponta pesquisa do Facebook. https://tinyurl.com/y6ks9z5j. (2016).

[42]

Dayton Daily News. 2018. 4 Brazilian men federally indicted for ATM skimmer, fake credit cards. https://tinyurl.com/y35gkup6. (2018).

[43]

PR Newswire. 2018. Mobile Banking One of Top Three Most Used Apps by Americans, 2018 Citi Mobile Banking Study Reveals. https://tinyurl.com/y2guuapo. (2018).

[44]

OWASP. 2016. Mobile Top 10 2016-Top 10. https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10. (2016).

[45]

E. Pang. 2002. The International Political Economy of Transformation in Argentina, Brazil and Chile Since 1960. palgrave macmillan.

[46]

Yanlin Peng, Wenji Chen, J. Morris Chang, and Yong Guan. 2010. Secure Online Banking on Untrusted Computers. In ACM CCS.

Digital Library

[47]

Harvard Bussines Review. 2016. The Rise of WhatsApp in Brazil Is About More than Just Messaging. https://tinyurl.com/yy8762tk. (2016).

[48]

WaterTown Savings. 2018. Security Q&A. https://tinyurl.com/yyunrum4. (2018).

[49]

SecurityIntelligence. 2018. CamuBot: New Financial Malware Targets Brazilian Banking Customers. https://tinyurl.com/y8z2apln. (2018).

[50]

TecMundo. 2018. Smartphone é mais popular do que notebook ou desktop no Brasil, diz estudo. https://tinyurl.com/y686bcvv. (2018).

[51]

Visa. 2014. A História da Visa. https://tinyurl.com/y2hocrwn. (2014).

[52]

ZDNet. 2018. Banco do Brasil launches financial transactions via WhatsApp. https://tinyurl.com/yaergk8s. (2018).

[53]

Wu Zhou. 2016. https://tinyurl.com/j5qx9wo, access: 09/Jun./2018. (2016).

Cited By

Botacin MGomes H(2024)Cross-Regional Malware Detection via Model Distilling and Federated LearningProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678893(97-113)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678893
Malviya VPhan PTun YChing AShar LBissyandé TKlein JBird CSarro F(2023)An Industrial Practice for Securing Android Apps in the Banking DomainProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00057(1870-1875)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00057
Botacin MAghakhani HOrtolani SKruegel CVigna GOliveira DGeus PGrégio A(2021)One Size Does Not Fit AllACM Transactions on Privacy and Security10.1145/342974124:2(1-31)Online publication date: 21-Jan-2021
https://dl.acm.org/doi/10.1145/3429741

Index Terms

The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian case study
1. Security and privacy
  1. Systems security
    1. Operating systems security
      1. Mobile platform security
    2. Vulnerability management
      1. Penetration testing

Recommendations

An empirical assessment of security risks of global Android banking apps
ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering

Mobile banking apps, belonging to the most security-critical app category, render massive and dynamic transactions susceptible to security risks. Given huge potential financial loss caused by vulnerabilities, existing research lacks a comprehensive ...
Internet Banking: Client-Side Attacks and Protection Mechanisms

Although current mechanisms protect against offline credential-stealing attacks, effective protection against online channel-breaking attacks requires technologies to defeat man-in-the-middle (MITM) attacks, and practical protection against content-...
Internet banking versus other banking channels: Young consumers' view

Financial institutions offer new banking channels to their customers, as technology adds new dimensions to the classic banking systems. One of the most popular self-service banking technologies is Internet banking. This study examines how young ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

August 2019

979 pages

ISBN:9781450371643

DOI:10.1145/3339252

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 August 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

DAAD
CNPQ
CAPES

Conference

ARES '19

ARES '19: 14th International Conference on Availability, Reliability and Security

August 26 - 29, 2019

CA, Canterbury, United Kingdom

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
447
Total Downloads

Downloads (Last 12 months)58
Downloads (Last 6 weeks)9

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Botacin MGomes H(2024)Cross-Regional Malware Detection via Model Distilling and Federated LearningProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678893(97-113)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678893
Malviya VPhan PTun YChing AShar LBissyandé TKlein JBird CSarro F(2023)An Industrial Practice for Securing Android Apps in the Banking DomainProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00057(1870-1875)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00057
Botacin MAghakhani HOrtolani SKruegel CVigna GOliveira DGeus PGrégio A(2021)One Size Does Not Fit AllACM Transactions on Privacy and Security10.1145/342974124:2(1-31)Online publication date: 21-Jan-2021
https://dl.acm.org/doi/10.1145/3429741

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents