The mobile banking application of ING Bank checked, months of the ssl-certificate of the bank. This would be a man-in-the-middle attack is possible. According to the bank, there are no cases of fraud via the app known.
The app checked the ssl-certificate of the bank not, allowing hackers in a man-in-the-middle attack could run. Reports that tv-program EenVandaag on the basis of findings of beveiligingsonderzoeker Floor Terra. Or there is, indeed, an attack could be carried out, seems uncertain. ING has multiple layers of encryption built in.
The ING Bank has no fraud with the app, says the bank in a comment. “Since the launch in november 2011, there are no instances of fraud detected. Of course we want to stay that way. A team of specialists works each day to the further development of our services via the Mobile Banking App to ensure the safety and ease of use to guarantee.”
Now, both the iOS as the Android version of an update feature, thus making the man-in-the-middle attack is not more that can be done. Professor Computerbeveiling Bart Jacobs of the Radboud University Nijmegen, the netherlands don’t even understand that this is a leak for months in the app could sit. “It is a blamage that this error was made. This is a very basic security where not thought of. Why is the ING in securitykringen hard laughed at.” The ING app came out in early november for iOS and Android.
Update, 16:08: As tweaker Lupo1989 notice, there is more security in the app than just the ssl connection. “As a result, there may be a man in the middle to be done but the information is still unreadable because of the two encryptions over it.” It consultant Mount Knowledge concluded earlier that the encryption looked totally solid. “There is not trusted SSL or TLS. Instead, ING an extra encryptielaag for which the password is agreed upon via the SRP protocol. Also generates each mobile device has an own profileId and a public/private key pair.” The only theoretical vulnerability was, according to the analysis in the registration process.