WSJ Article: Researchers Find Security Flaws in Developing-World Money Apps

Mobile-money services are growing at a rapid clip in the developing world, but new research suggests many of the apps that give the poor access to banking services have woeful security protections, leaving users exposed to fraud and theft.

Computer scientists at the University of Florida studied seven mobile-money apps from Brazil, India, Indonesia, Thailand and the Philippines, and found what they considered major security flaws in six.

“It was worse than we expected,” said Patrick Traynor, a computer science professor and author of the study.

One app, India-based MoneyOnMobile, appeared to use encryption to protect data, but did so by sending sensitive data to a server unprotected before encrypting the information. That could allow the data to be stolen on the unprotected step.

A representative of My Mobile Payments Ltd., which makes the MoneyOnMobile app, said a new app, MOM Wallet, is available and has improved security features that it believes would satisfy the paper’s authors. They said the old app will “sunset” on Aug. 15.

“We had to go back over these vulnerabilities many times to make sure these things were possible,” Mr. Traynor said.

Another app, MyAirtel, used encryption but tried to protect the data using an unusually weak “key,” a series of numbers and letters that encode the information. Most keys are random, but for MyAirtel, the key was always the same series of eight numbers and letters followed by the person’s phone number and account number, making it extremely easy for an attacker to figure out. The researchers said they tested the Airtel Money section of the MyAirtel app. […]

Read the entire article at Wall Street Journal here