[BreachExchange] Redtail isn't the only firm with cybersecurity issues

Destry Winant destry at riskbasedsecurity.com
Thu May 30 09:58:53 EDT 2019


https://www.investmentnews.com/article/20190528/FREE/190529945/redtail-isnt-the-only-firm-with-cybersecurity-issues

Redtail Technology is the latest firm dealing with the fallout of a
cybersecurity issue, but it likely won't be the last.

In a letter sent to advisers last week, Redtail blamed its leak on
systems that inadvertently stored investors' personal information on a
debug log file. These files record database operations, system
processes, and errors for software developers in case they need to fix
something. Redtail's debug file was publicly accessible to anyone with
an internet connection.

But Redtail is hardly alone, said Alissa Knight, a senior analyst with
Aite Group's cybersecurity practice. In a recent study of the security
of 30 mobile apps from financial services firms in the U.S. and
Europe, it was identified as a common issue.

"Many of the apps I looked at were also mistakenly configured to log
in debug mode, logging everything happening within the app, including
sensitive data to log files," Ms.Knight said.

While she wouldn't disclose the name of the firms she studied, they
spanned banking, retail brokerage, financial technology vendors and
auto insurance, she said.

Ms. Knight concluded that there is "a systemic problem" across both
financial services firms and fintech: "a widespread absence of
application security controls and secure coding."

Despite the amount of sensitive data these firms handle, many are
still failing to apply adequate security to apps, she said.

Ms. Knight found vulnerabilities in 29 of the 30 apps analyzed. It
took her less than 9 minutes to identify the issue at many of them.

Especially concerning is the application programming interfaces (APIs)
that companies use to integrate data with third-parties, she said.
Financial services companies and fintech vendors have a habit of
hard-writing credentials and API keys into the code. Anyone who knows
where to look can gain access.

And hackers know where to look.

"Hackers are beginning to shift their focus to attacking organizations
and end users via their mobile apps by finding vulnerabilities in the
code due to a lack of code obfuscation being employed to secure apps,"
Ms. Knight wrote in her report.

The increase in the number of API codes that can be seen publicly on
the internet is one reason hackers are increasingly focusing here, she
said. Also, it's relatively easy to learn the company's API URLs by
looking at the company's mobile app source code.

If security experts know this can be a problem, why is it happening?
One reason might be companies outsourcing app development offshore to
save costs.

"I was talking to some of the fintech companies and asked this very
thing," she said. "They tell me a lot of the time companies they
outsource to will publish the code and the fintech or financial
services companies aren't even involved in the process."


More information about the BreachExchange mailing list