Permission-less banking API

Master thesis (2018)

Authors

C. Kyprianou Electrical Engineering, Mathematics and Computer Science

Contributors

J.A. Pouwelse (supervisor 1)
Jan S. Rellermeyer (supervisor 2)
Z. Erkin (supervisor 2)
Faculty
Electrical Engineering, Mathematics and Computer Science
Copyright: © 2018 Christos Kyprianou
More Info
expand_more

Published Date

31-01-2018

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Abstract

In this document we present an in-depth vulnerability assessment of the HSBC banking system. Going beyond prior work, we investigate the full stack down to the Java bytecode level and further analyze its 3 key platforms: Android OS, IOSand online banking. During the process we analyze their main security feature,OTP generation algorithm and examine the inner workings of mobile/online banking through various vulnerability assessment techniques and successful man in the browser attacks in their main platforms showing the client-server communication packet flow. During the process we discovered several vulnerabilities and show that HSBC leaks details to multiple web server which are not under it’s direct control such as: lo.v.liveperson.net. Additionally, the HSBC app is found to be ineffi-cient, for instance, it repeatedly sends ”Lorum Ipsum” phrases. A gross waste of bandwidth, bordering on incompetence. Finally we present our own version that is able to perform the basic banking functions: 1-log-in, 2-view accounts and balances, 3-view transaction history and 4-perform transactions, adding more than 200% speed improvement