The largest Swedish banks use Swish to process transactions

A glitch in the way the Swish mobile payment solution implemented Mobile BankID allowed users of the service to view details of the transaction history from others by simply modifying the payment history request, a researcher says.

Swish has been designed as a cost-effective alternative for credit card processing machines and can be used by attaching a card reading device to a mobile phone. Combined with their free mobile banking app (available for both iOS and Android), the solution allows taking card payments anywhere.

A partnership with the largest banks in Sweden (SEB, Handelsbanken, Nordea, Danske Bank, Länsförsäkringar Bank, and the various branches of Swedbank and Sparbank) permits customers to transfer money in real time through Swish, identifying the recipient not by the number of their bank account, but by that of their mobile phone.

This is done through Mobile BankID, a widely used infrastructure for electronic identification for mobile devices in Sweden.
Changing the phone number gives access to payments history

According to a researcher going by the Twitter handle Nullbyte (@nbyte), the implementation of Mobile BankID consisted of an authentication request that would return a reference number. The same request would be executed again, after the user authentication, containing the reference number.

However, the researcher noticed that the link with a payment history request would include the MSISDN value, which is the phone number of the user.

This happens because such requests use Mobile BankID service only for authentication, not for authorization, allowing access to the payment history of any user of the service just by changing the MSISDN value.

“An authenticated user could retrieve any other users complete transaction history simply by changing the MSISDN in the request. The Swish server never checked whether the user was authorized to make that request or not,” writes the researcher.

The details would include phone numbers, full names, date and time-stamps, amounts of money exchanged, and messages to and from individuals involved in the transactions through the Swish app.Trouble reporting the problem

The researcher alleges that the flaw may have existed since the launch of Swish, which happened in December 2012.

As per statistics provided by Swish, at the beginning of October there were more than 1.7 million users.

The security flaw was eliminated a week after reporting the issue to all of the affected banks. Taking the matter to Swish first, the researcher was directed to leave a private message on the company’s Facebook profile.

However, Nullbyte said he had no Facebook account and then was instructed to talk to his bank to solve the problem.

http://news.softpedia.com/news/Secur...s-463194.shtml