Mobile Security & Enterprise Mobility Blog

Another Mobile App Assisted Breach… This Time It Is British Airways

In a tweet on September 6th, British Airways announced that it was “investigating the theft of customer data from our website and our mobile app” (emphasis added). This is just another example of a breach that has been at least partially enabled by mobile apps.

According to reports, information was exposed (including names, email addresses and credit card details including card numbers, expiry dates and three-digit CVV codes) from as many as 380,000 payment cards. This may have been the made possible by either British Airways or a third-party processor. Under the new GDPR rules, British Airways may be facing large fines over the breach. Some headlines have placed the potential fines as large as £500 million.

As the global leader in enterprise mobile security, Zimperium is not only concerned about protecting employees’ devices (whether corporate-owned or BYO), but also about protecting customer and employee mobile app sessions (the period of time within which a user interacts with an app), user credentials, sensitive data inside the mobile app, and access to critical backend systems against threats like those that experienced by British Airways.

For example, every month at one of the world’s largest banks, Zimperium’s zIAP (our software development kit (SDK) that embeds our z9 detection inside any mobile app to help that app detect device, network and malicious app attacks) protects a half billion sessions and provides the bank with visibility to prevent potential fraud in exposed accounts, protecting over a billion dollars for customers.

Leading companies like British Airways have secured as much of the mobile app value/transaction chain as possible, but they have not been able to account for the most dangerous link: consumers’ devices and the WiFi networks that they attach to.

They have secured the backend servers, encrypted network traffic, conducted pen/vulnerability tests and hardened their app via app shielding. But what about the devices their app is sitting on? What about the WiFi networks that are increasingly less secure? That is where zIAP comes in.

For example, a common banking trojan called BankBot pops on top of the user’s legitimate banking app to steal credentials, and with the mobile phone being used as a second factor authentication, can place transactions either via directly mobile or on the web without the bank realizing that the transaction is fraud.  Or when in another example the hackers used the app’s access to backend systems to inject their own transactions in the system. Or even worse, when mobiles are used to steal sensitive email attachments and access cloud or internal document repositories. What a mobile can access, a hacker can access once they compromise a device.

If you would like to learn more about the British Airways breach, especially if you are a customer, you can access information here.

If you would like to learn more about using zIAP to help prevent breaches like this one, please contact us here.