Traditional vs smartphone bank: open a bank account in just 8 minutes? you can lose it even faster
Dec 28, 2016
open a bank account in just 8 minutes? you can lose it even faster - smartphone-only bank N26 German fintech company N26, which made its name mocking traditional banks, has found itself on the receiving end of criticism after a security researcher proved its smartphone apps exposed users to potential account hijacking.
N26, previously known as Number26, has expanded rapidly since it launched in early 2015 as a smartphone-only bank with no local branches, with the backing of major global investors including Silicon Valley's Peter Thiel.
Vincent Haupert, a research fellow and PhD student in the computer science department of the University of Erlangen-Nuernberg, told the Chaos Communications Congress in Hamburg how he and two colleagues found N26 security defenses riddled with holes that could have been used to defraud thousands of users.
"They say you can open a bank account in just eight minutes," Haupert said. "As it turns out, you can lose it even faster." In a statement, N26 thanked Haupert for alerting the company to "a theoretical security vulnerability" and advising it on fixes, which N26 said it completed this month.
N26 offers a range of online banking and other financial services to 200,000 customers in 17 European countries through a banking license granted earlier this year by German financial regulator Bafin. N26 executives have been the most outspoken among new fintech players in arguing traditional banks are failing to serve customers more directly by relying on antiquated local branch relationships instead of modern, phone-based services.
"I don't see banks at all as my competitors. They just can't move fast enough," N26 Chief Executive Valentin Stalf told Reuters last year.
Haupert told the Chaos conference, Europe's biggest annual gathering of hackers, how his team had found numerous ways to attack N26 banking apps to hijack individual customer accounts.
"With such a strategy, fintechs squander the trust that banks established over years," he said.
For example, Haupert said he compared data from a leak of 68 million account credentials from online file sharing company Dropbox with information on N26 users he was able to request from the company's own software feed to identify 33,000 N26 user credentials - without being thwarted by N26 anti-fraud systems. From there, he said it would have been simple to send a phishing email to these N26 customers that could potentially have allowed him to break into their accounts.
"Don't worry, we didn't do this," Haupert said.
Photo courtesy REUTERS / Axel Schmidt
- If Facebook CEO can be hacked, so can you, as details of 117 million LinkedIn users are advertised online for sale
- Endless massive hacks. Home Depot. Target. Neiman Marcus. Michaels. JPMorgan Chase. USPS 800,000 Employee names, DoB, addr, SS#
- Leadership: when many governments busy bailing out big business, Australian banks to give mortgage help to jobless
- GPS glitch: 2 homes wrongly demolished - directed to wrong address; remote access / internet / data make bank heist easier
- In chips we trust: "data supermarket". Stored, stolen, sold: “They took money fr my credit card & told me I use stolen cards"
Browse other gifts from Zazzle.