The incident originated on February 27, 2017. A financial information service company found that one of its APP software was attacked by hackers, and RMB 10.56 million was illegally withdrawn within half a day, and then reported to the public security organ. The public security organs carried out investigations as soon as possible, and raced against time to sort out the server data of the APP platform. On the same day, the suspect's modus operandi was analyzed and the loopholes were successfully blocked, avoiding greater losses for the company and investors.
After investigation, the reason was that a suspect exploited the loopholes in the APP platform and used hacking means to tamper with the requested amount data during the recharge process of the APP, resulting in an abnormal amount of the platform's account, and quickly carried out a cash withdrawal operation to commit a crime. After he succeeded in committing the crime, the suspect taught the method of committing the crime through the Internet, causing the loophole to be widely spread and exploited. By the time of the incident, a total of 422 abnormal APP accounts used this method for malicious recharge, of which 269 were successfully withdrawn.
Hai Yun'an analysis:
This is a typical case of exploiting the loopholes in the financial payment APP application system, using hacking methods to crack and tamper to obtain illegal benefits. The request instruction data in the communication protocol channel, etc., send wrong instructions to the server business system, achieve the purpose of illegal profit, and directly have a significant impact on the development of the enterprise's mobile financial business.
In fact, as early as last year, the relevant research structure pointed out in the "White Paper on the Status Quo of Information Security of Mobile Internet Financial APPs" that there are ten security risks in the current domestic mobile Internet financial APPs:
1. Communication data is sent in plain text
, client APP and server The data exchanged between the terminals is transmitted through the communication channel in plaintext.
2. The communication data can be decrypted The
data between the client APP and the server is encrypted and transmitted, but the data can still be decrypted.
3. Sensitive data can be cracked locally
The client APP stores sensitive data (such as login passwords, gesture passwords, etc.) locally in plaintext, or encrypted storage, but the data can be deciphered through reverse analysis programs.
4. Leakage of debugging
information The client APP prints out the information that helps debugging during development. This information usually includes some sensitive parameters, the plaintext of the message, etc.
5. Leakage of sensitive information Sensitive data is
leaked in the client APP code, such as symmetric encryption keys, private keys in asymmetric encryption, shared keys used for authentication, background server management addresses that should not be exposed, and so on.
6.
Misuse of cryptography Insecure cryptography is used in the client APP code, such as fixed hard-coded symmetric encryption, ECB mode symmetric encryption, CBC mode IV fixed, insecure public key for asymmetric encryption, etc. .
7. Function
disclosure High-privilege behaviors and functions (such as sending SMS messages, reading contacts, etc.) in the client APP are not protected by security, and are called or accessed by other unauthorized applications.
8. Can be repackaged The
client APP can be repackaged and released on the market for users to download after the code has been modified.
9. Debuggable
The client APP can be debugged to dynamically extract and modify the program data and logic at runtime.
10. Code can be
reversed The logic of the client APP can be easily obtained and reversed to obtain sensitive data in the code and program.
Once criminals use the many security loopholes in such financial apps to attack, they will steal the property of innocent people, disrupt the financial market order, and even have a great negative impact on the security and stability of the country and society.
So, how should these security risks be solved? How can Internet financial companies protect their APP security? In view of these problems, timely checking and filling vacancies is the key. The mobile financial business system generally consists of three parts: intelligent hardware terminal (generally refers to smart phones at present), mobile application APP, and corresponding business processing server. The current mobile financial business system is the easiest The two parts of the mobile APP, the client and the server, are threatened by attacks. Mobile APPs generally have a large number of exploitable vulnerabilities, and the back-end server part is often the focus of hackers' attacks on mobile services. In response to the above serious security problems, Hai Yunan has launched a mobile application security service system that
covers APP in-depth risk detection , application reinforcement and back-end server security defense. Solution—Through security detection in the development stage, potential security risks of APPs can be discovered, helping Internet financial enterprises to take precautions; high-strength APP reinforcement services can comprehensively prevent APP clients from being cracked and tampered with; through intelligent mobile application firewall products , which effectively protects the security of back-end communication data and effectively defends against fraudulent attacks. Through the integration of detection, reinforcement and defense, the effective protection of mobile financial services is achieved. At present, with a series of high-quality services, Haiyunan has served many well-known enterprises such as WeBank, Ping An Bank, China Merchants Securities Guangfa Fund, SF Express, and Hongling Venture Capital.