Figure 6 - uploaded by Dominik Maier
Content may be subject to copyright.
Source publication
This paper looks at N26, a pan-European banking startup and the poster child for young FinTech companies. We assess how security is treated by startups that provide disruptive technologies in the financial sector. In an area that has been committed to security, we find that FinTech companies have modern designs and outstanding user experience as th...
Context in source publication
Context 1
... leaks Resettable ID leaks Guessable As summarized in Figure 6, an attacker can unpair a victim's phone without having access to the email account, without knowing the transfer PIN, and without possessing either the MasterCard or the SIM. After a successful attempt at unpairing, an attacker can simply pair a new phone. ...
Citations
... So far, FinTechs often tend to deprioritize IS and the compliance of certain regulations, or their prioritization lacks sophisticated approaches (Gai et al., 2017;Haupert et al., 2017). The resulting risks can lead to regulatory issues, including financial penalties, or have significant adverse effects on revenues due to declining customers' trust (Mahalle et al., 2018). ...
The number of FinTechs has been proliferating over the last decades. While their innovative offerings inherit disruptive potential, the security of their cloud services remains a fundamental issue. Tight budgets and the need for rapid product development force FinTechs to focus on the most necessary information security measures (ISMs) that ensure regulatory compliance and avoid customer losses due to security incidents. The question arises of how FinTechs should prioritize ISMs. To answer this question, we follow design science research to develop an artifact by which cloud service using and providing FinTechs can obtain a prioritized list of ISMs. Our resulting artifact builds upon extant research on FinTechs and information security (IS), relevant regulatory frameworks, and the shared responsibility model for cloud services. Our research contributes to the conceptualization of integrated ISM prioritization for FinTechs and provides practitioners with a structured prioritization approach based on a standardized logic.
... Arvidsson (2014) investigated consumer attitudes towards mobile phone payments in a study that included Swedish consumers and founded that the adoption of a new payment system is linked to perceived ease of use, age, income, trust, perceived security risks. Security is considered to be a major issue in mobile payment and studies have shown that attackers could have access to customer's accounts due to server security vulnerabilities (Haupert et al., 2017). ...
Poverty alleviation has become one of the biggest challenges for many countries and access to financial services is considered to be a key driver of development and economic growth. Finding solutions that can break down barriers that poor people are facing to access formal financial services has become a major concern for researchers, governments, financial institutions. Financial services must reinvent themselves and the adoption of new technology is a crucial key to overhaul their operations and to find innovative solutions to manage customer expectations. The escalation in access and penetration level of mobile phones and the Internet can improve financial inclusion by facilitating easy access to financial services, by providing secure transaction platforms, by reducing transaction costs, by providing a competitive business framework.
There has been relatively limited research on the impact of Internet and mobile phones use on financial inclusion, therefore our main purpose was to investigate this linkage in a sample of 11 post-communist countries of the European Union from 1996–2017 using panel cointegration and causality analyses. Firstly, we investigated whether mobile cellular phone subscriptions and the rate of Internet usage affect financial institutions’ access; secondly, we analysed the impact of these variables on financial market access. Results indicate that mobile cellular phone subscriptions positively affect both financial institution access in countries like Hungary, Latvia, Lithuania, Poland, and Slovenia and financial market access in Bulgaria, Croatia, and Hungary. Also, a negative relationship between mobile cellular phone subscriptions and financial institution access was noticed in the Czech Republic and regarding financial market access in the Czech Republic and Poland. Our findings also indicate both positive and negative relationships between Internet usage rates and financial institutions and financial markets access. By increasing Internet usage we can improve access to financial institutions in Bulgaria, Croatia, Czech Republic, Hungary, and Poland and we can increase financial markets access in Latvia and Slovenia.
First published online 13 April 2021
... Technological advancement, digitalization, and globalization benefit countries, companies, and potential stakeholders and invigorate a growing community of hackers to take advantage of the same advancement in the tech world at a rapid pace. Financial institutions take a significant shift (e.g., fintech sandbox) from the last decades due to this technological innovation (Haupert et al., 2017). In some cases, innovation runs ahead of security development (Arakji and Lang, 2007). ...
In the new and evolving digitalized world, the cybersecurity threats have placed the assets and information of corporations, institutions, governments, and individuals at constant risk. Banks are not an exception. Offering the low-interest rate is becoming the fundamental strategic move of the banks to sustain. Due to the high demand for a tailored portfolio of financial products, the availability of sophisticated communication and advance transaction mechanisms lead to an emergence of a new type of competitor known as financial technology service (i.e., fintech). The collaboration between these fintech organizations and banks has recently increased to provide fine-tuned service to the consumer and satisfy emerging market needs. However, this collaboration between banks and fintech firms has triggered significant cybersecurity risk. Hence, the dilemma is whether the bank should embrace such collaboration to resuscitate the profit margin or be pragmatic, and shirk to eliminate sustainability risk? We argue that the alliance between bank and fintech firms triggers a high-level of cybersecurity risk. We propose a theoretical model and discuss various types of cybersecurity risks. The benefit (or cost-if any) of having alliance could be enormous in yielding profitability and increase sustainability if both fintech and banks collaboratively abate the cybersecurity risks.
... According to the prior studies, perceived trust has been confirmed as a critical factor that positively influences the adoption of M-payment" (Al-Saedi et al., 2020: 2). This is only compounded by the fact that as m-payment has become more popular there has been a rush to capture market share which in some cases has come at the expense of secure systems (Haupert et al., 2017). ...
Mobile payment applications are becoming more and more prevalent around the world. Especially during COVID-19, mobile payment applications were seen as a contactless and thus safer alternative to cash. It is expected that such technology-based solutions are especially attractive to Generation Z, a cohort that grew up with technology. And while Gen Z is considered to be a global cohort, the technological divide between developed and developing nations has meant that members of this cohort in countries like Thailand did not have the same exposure and thus do not have the ensuing relationship with technology. This empirical study utilized a survey to quantitatively investigate the extent to which espoused national cultural values impact Thai Gen Z's technology acceptance of mobile payment. The survey was distributed to cohort members at a university in Bangkok, Thailand. It was found that this generation of Thais are generally willing to adopt mobile payment with the espoused national cultural value of collectivism influencing the extent to which they trust the system as well as the extent to which they seek and perceive that others important to them want them to use the system.
... • Data security - Haupert et al. (2017) assessed how security is treated by start-ups that provide disruptive technologies in the financial sector. They found that FinTech companies have a new business model and outstanding user experience as their main priority. ...
... Android nowadays has adopted a mixed approach at app security, betting on safeguards on the runtime environment, e.g., the Trusted Execution Environments (TEE) on mobile phones, encryption and signature standards on both the mobile phone and the app itself, and lastly, also obfuscation mechanisms targeted at protecting the apps source code, e.g., ProGuard [87] which is even part of Androids build process. Research soon revealed Dalvik-only solutions severely as protection mechanisms proved to be ineffective and sometimes even reversible in an automated fashion [69,92]. ...
In this thesis, we investigate different possibilities to protect the Android ecosystem better. We focus on protection mechanisms for application developers, and present modern attacks against sandbox-protected applications and the developer’s intellectual property, ultimately providing enhanced approaches for defense against these attacks. Our defensive approaches range from runtime-shielding measures to analysis-impeding obfuscation mechanisms. First, we take a closer look at communication possibilities of sandboxed applications on Android, namely the UI layer and Android’s inter-process communication. We introduce attacks on applications working through the actors on Android’s UI, starting with overlay windows, accessibility services, input editors, and screen captures. Android’s inter-process communication is the second attack avenue we pursue. It is the primary means of communication for apps to interact with each other despite being sandboxed by the Android system. We show through assessments of the Google Play Store and third-party app stores that attacks on these mechanisms pose a blind-spot in current attack models considered by developers. To provide relief we introduce new protection mechanisms that developers can implement and enhance testing methodologies to consider these attacks in the future. Second, we direct the reader’s attention towards attacks on the developer’s intellectual property. Due to Android’s open-source nature and openly communicated standards, a trend of repackaging popular applications with malicious enhancements and republishing the malicious app has rooted itself in the malware community. To counteract this development, we present an enhanced centroid-based approach at clone detection and improved analysis-impeding obfuscation mechanisms that build on virtualization-based obfuscation. Our obfuscation approach works on Android’s current runtime environment, as well as the previously employed ‘Dalvik virtual machine’, and can be used to obfuscate critical portions of an application’s functionality against prying eyes. To make valid assumptions about the strength of virtualization-based obfuscation, we conduct a de-obfuscation study on the more mature x86/x64 platform, developing a reverse engineering approach for virtualization-obfuscated binaries. We analyzed several hundred thousand Android applications during our research with automated approaches and several thousand apps with manual analysis, always opting for a responsible disclosure process of found vulnerabilities by providing developers with at least three months’ due notice before attempting a publication. The tools presented in this thesis are open-sourced under the MIT license, to help in the inclusion of development projects and their extension or further development. With the insights gained through the research for this thesis, we hope to provide developers with the tools and testing approaches they need to make the Android ecosystem more secure and safe.
... In this same sense, we evaluated the Brazilian banking ecosystem to highlight local trends already present in Brazil that might scale to the world scenario, such as Whatsapp-based transactions. Fin-Techs are the future of electronic banking, thus causing attacks models to change, as already seen (e.g., in Germany [29]). In this sense, we leveraged the Brazilian scenario to demonstrate how fintechs strategies, such as complete paper elimination, shaped the development of the new banking apps by causing the elimination of third-party libraries. ...
Internet Banking have become the primary way of accessing banking services for most customers, but its security is still a constant concern, since million dollars are still lost every year due to frauds. Over time, banks and customers overcome the initial technology distrust and learned how to secure their operations. However, there are still many lessons to learn, mainly when looking to the upcoming technological developments. To understand the lessons learned over time and also to help shedding light on possible future developments, we review the past and the present of internet banking implementations in Brazil, a country widely adopting this type of service and an early adopter of new banking technologies, thus targeted by many threats. We show how Internet banking evolved from desktop software to mobile apps and how attackers also evolved from phishing mails to complete phishing applications to target Brazilian users. We also performed a detailed security analysis of Brazilian banking apps available in the Android app store and identified that developers still fail to follow secure development practices, thus causing banking apps to leak user's sensitive data. Moreover, we also looked to the future to present new attacks which can threat users in a short-term. In particular, we demonstrate an attack against a Whatsapp-based transaction mechanism implemented by some Brazilian banks
The acceleration of cyber-attacks in the past few years certainly has negative influences on the investors and shareholders’ trustworthiness in the firms’ abilities to protect their interests. This is likely to be reflected on the firms’ shares price. Thus, the influence of cybersecurity on firms’ overall performance is a questionable issue. To be able to proceed through the cyber risks, firms face the challenge of enhancing their cybersecurity to avoid and combat against the endless cyber-attacks. Further to that the studies that cast light on the relationship between cybersecurity and firms’ performance from a holistic perspective are lacking.
Riding on the widespread user adoption of mobile payment, a growing number of mobile apps have integrated the service from third-party payment service providers or so-called Cashiers. Despite its prevalence and critical nature, no existing standard can guide the secure deployment of mobile payment. Thus, the protocol designs and implementations from different Cashiers are diverse. Given the complicated multi-party interactions in mobile payment, either the Cashiers or the apps may not fully consider various threat models, which enlarges the attack surface and causes the exploits with severe consequences, ranging from financial loss to privacy violations. In this paper, we perform an in-depth security analysis of real-world third-party payment services for mobile apps. Specifically, we examine the mobile payment systems from five top-tier Cashiers that serve over one billion users globally. Leveraging insecure protocol designs and practical implementation flaws, e.g., vulnerable backend SDKs for mobile apps, we have discovered six types of exploits. These exploits enable the attacker to violate user privacy and shop for free in the victim apps, affecting millions of users. Finally, we propose the fixings to defend against these exploits. We have shared our findings with the affected Cashiers and got their positive responses.
Zusammenfassung
Eine etablierte Methode der Sicherheitsforschung zur Feststellung von Schwachstellen in Software ist Reverse Engineering. Verstößt eine solche Analyse von Programmen gegen das Urheberrecht? Mehrere deutsche Forscherteams erhielten nach der Veröffentlichung von gefundenen Schwachstellen Unterlassungserklärungen sowie Anträge auf einstweilige Verfügung von einem Anbieter von Sicherheitssoftware.