In a tweet on September 6th, British Airways announced it was “investigating the theft of customer data from our website and our mobile app” (emphasis added). This is just another example of a breach that has been at least partially enabled by mobile apps.
According to reports, information was exposed (including names, email addresses and credit card details including card numbers, expiry dates and three-digit CVV codes) from as many as 380,000 payment cards. This may have been possible by either British Airways or a third-party processor. Under the new GDPR rules, British Airways may be facing large fines over the breach. Some headlines have placed the potential fines as large as £500 million.
As the global leader in enterprise mobile security, Zimperium is not only concerned about protecting employees’ devices (whether corporate-owned or BYO), but also about protecting customer and employee mobile app sessions (the period of time within which a user interacts with an app), user credentials, sensitive data inside the mobile app, and access to critical backend systems against threats like those that experienced by British Airways.
For example, every month at one of the world’s largest banks, Zimperium’s zIAP protects half a billion sessions and provides the bank with visibility to prevent potential fraud in exposed accounts, protecting over a billion dollars for customers.
Leading companies like British Airways have secured as much of the mobile app value/transaction chain as possible, but they have not been able to account for the most dangerous link: consumers’ devices and the WiFi networks that they attach to.
They have secured the backend servers, encrypted network traffic, conducted penetration and vulnerability tests and hardened their app via app shielding. But what about the devices their app is sitting on? What about the WiFi networks that are increasingly less secure?
For example, a common banking trojan, BankBot, creates an overlay on top of the user’s legitimate banking app to steal credentials. Sophisticated versions of BankBot capture SMS two factor authentication codes and can place transactions either via directly mobile or on the web without the bank realizing that the transaction is fraud. A second mobile breach example the hackers used the app’s access to backend systems to inject their own transactions in the system.
To learn more about the British Airways breach, especially if you are a customer, please visit britishairways.com.
To learn more about using zIAP to help prevent breaches like this one, please contact us here.