Blog | G5 Cyber Security

Fix Banking App Login Leaks

G5 Cyber Security

TL;DR

Your banking app is leaking information during login. This guide shows you how to find and fix the problem, covering common causes like unencrypted connections, verbose error messages, and insecure logging practices.

1. Identify the Leak

  1. Monitor Network Traffic: Use a tool like Wireshark or your browser’s developer tools (Network tab) to see what data is sent when you try to log in – both successful and failed attempts. Look for sensitive information like passwords, account numbers, or security questions being transmitted in plain text.
  2. Check Server Logs: Examine your server logs for excessive detail in error messages. Avoid logging full usernames or passwords; instead, log only relevant identifiers (e.g., user ID) and a general error description.
  3. Review Client-Side Code: Inspect the JavaScript code of your web application (or the decompiled code of your mobile app) for any accidental exposure of sensitive data in comments, debugging statements, or insecure storage mechanisms.

2. Secure the Connection (HTTPS)

The most basic step is ensuring all communication uses HTTPS.

  1. Install an SSL/TLS Certificate: Obtain a certificate from a trusted Certificate Authority (Let’s Encrypt offers free certificates).
  2. Configure Your Web Server: Configure your web server (e.g., Apache, Nginx) to enforce HTTPS and redirect all HTTP traffic to HTTPS. 
    # Example Nginx configuration
    server {
      listen 80;
      return 301 https://$host$request_uri;
    }
  3. Enable HSTS: Implement HTTP Strict Transport Security (HSTS) to tell browsers to always connect via HTTPS. 
    # Example Nginx configuration for HSTS
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

3. Handle Errors Gracefully

Avoid revealing sensitive information in error messages.

  1. Generic Error Messages: Display user-friendly, generic error messages instead of detailed technical errors.
    • Instead of: “Invalid username or password.”
    • Use: “Login failed. Please check your credentials and try again.”
  2. Log Errors Securely: Log detailed error information on the server-side, but redact sensitive data. 
    # Example Python logging (redacting username)
    import logging
    logging.error("Login failed for user %s", user_id) # Log only the ID

4. Secure Logging Practices

Carefully control what information is logged.

  1. Avoid Logging Passwords: Never log passwords in plain text or any reversible format.
  2. Limit Logged Data: Only log essential data for debugging and auditing purposes. Avoid logging personally identifiable information (PII) unless absolutely necessary.
  3. Secure Log Storage: Protect your logs from unauthorized access. Use encryption, access controls, and regular backups.
    • Consider using a dedicated logging service with built-in security features.

5. Implement Rate Limiting

Prevent brute-force attacks by limiting the number of login attempts.

  1. Configure Rate Limits: Set a maximum number of failed login attempts allowed within a specific timeframe (e.g., 5 attempts in 10 minutes). 
    # Example using fail2ban to limit SSH access
    [sshd]
    enabled  = true
    port     = ssh
    maxretry = 3
    findtime = 600
    bantime  = 3600
  2. Account Lockout: Temporarily lock accounts after exceeding the rate limit.

6. Regular Security Audits

Proactively identify and address vulnerabilities.

  1. Penetration Testing: Hire a security firm to conduct regular penetration tests of your application.
  2. Code Reviews: Perform thorough code reviews to identify potential security flaws.
    • Focus on areas handling authentication, authorization, and data storage.
Exit mobile version