Digital Forensics Mobile Banking (Carding) Vulnerabilities

The document discusses developing a forensic anti-fraud method using machine learning algorithms to detect mobile banking vulnerabilities. Previous studies analyzed various Android apps and found they posed threats by leaking sensitive user data like account numbers and balances. This paper will forensically investigate popular bank, carrier, and transit apps to see if they fail to protect sensitive data and what can be revealed through forensic analysis, with the goal of improving app security.

Uploaded by

Sanzhar P

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

34 views

Digital Forensics Mobile Banking (Carding) Vulnerabilities

Uploaded by

Sanzhar P

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 3

Forensic Analysis of Mobile Banking Apps

 O. Osho, Uthman L. Mohammed, +2 authors S. Misra

 Published in ICCSA 1 July 2019

 Computer Science

Over the years, the proliferation of mobile banking applications has been on the increase. Financial
institutions are taking advantage of mobile technology to provide accessible, ubiquitous, user-friendly,
convenient, and cost-effective services to their customers. The mobile banking applications access and
process sensitive user data. As such, they are required to manage such data in a high secure manner and
run in secure environment. This study conducts a forensic investigation of twelve popular Android m-
banking apps in Nigeria to determine if the generated backups by the mobile OS do not save sensitive
data; the application removes sensitive data from view when backgrounded; sensitive data are not held
longer than necessary in the memory, with the memory cleared after use; minimum device access
security policies are enforced by the app, and users are educated by the app about the type of PII
processed and security best practices in using the app. Our findings revealed that while none of the apps
saved sensitive data in generated backup, all except one held data of sensitive value in the memory of
the test device and did not enforce any device access security policy. Also, none of the apps removed
sensitive data when backgrounded. In addition to serving as a source of information for forensic
investigators, we believe our study could assist mobile banking app developers in identifying aspects of
the development process that need attention, which would lead to better secured apps.

https://www.semanticscholar.org/paper/Forensic-Analysis-of-Mobile-Banking-Apps-Osho-
Mohammed/bfb2377c104a90cd7b848ac418a2fec7628512f3

https://www.infosecurity-magazine.com/news/security-vulnerabilities-mobile/

https://www.semanticscholar.org/paper/Use-of-Biometrics-in-Mobile-Banking-Security%3A-Case-Avdi
%C4%87/187a144fb68f9383d644ce0128a42123b7002855#paper-header

https://arxiv.org/ftp/arxiv/papers/2202/2202.00582.pdf

https://www.researchgate.net/publication/
333756475_Forensic_Analysis_of_Mobile_Banking_Applications_in_Nigeria
Content:
Theme name
Development of forensic anti-fraud method with using of machine learning algorithms for
detecting mobile banking vulnerabilities
Authors
Organization
Abstract
1 Introduction
1.1 Problem Background
2 Related studies/Literature overview
Previous studies have analyzed a wide range of android applications such as social networking,
instant messaging, banking, navigation and dating applications. More specifically, Chanajitt et al
[6] focused on 7 e-banking mobile applications in Thailand. The forensic analysis conducted,
focused on both memory and code inspection with the intent to determine different forms of
leakage. This research discovered that the examined applications posed a great threat on user’s
sensitive data such as account number, account type, account balance, citizen ID, date of birth,
transactions from one bank to another or user’s PIN code. Those threats could have been
prevented if there was security by design. Hayes et al [7] studied the geolocation information
collected by Uber application. This research tested several scenarios in which Uber or competitor
services applications were used by clients in New York City. The experiments proved that Uber
was using geolocation information for more time than what was stated in the privacy agreement.
It also accessed geolocation information even in cases where a competing service was used.
These findings obviously violate user’s privacy but could prove very useful in a criminal
investigation
3 Research methodology
3.1 Experimental
3.2 Implementation and Case-study
3.3 Analysis
3.4 Evaluation
4 Results/Findings
5 Discussion
6 Suggestions for improvement
7 Limitation of the study
9 Acknowledgments
10 Potential future works
11 Conclusion
12 References

ABSTRACT
This paper performs a forensic investigation to a set of applications aiming at discovering
sensitive information related to the owner of the mobile device. These applications were chosen
based on the fact that: i) they are very popular on Google Play Store, ii) they handle sensitive
personal information, iii) they have not been researched by previous works and iv) they are free
to download and install. The three chosen applications belong to the following categories: bank,
mobile network carrier and public transport. The evaluation of the security of the applications
was performed using two techniques: code and disk analysis, as followed in the literature. Based
on our findings we derive the conclusion that these applications despite their criticality have
failed to incorporate security techniques to protect user’s sensitive data and a forensic analysis
can reveal crucial and significant information from a forensics point of view.