Coles responds to credit card app vulnerability reports

Supermarket chain says app is read only and all customer’s money is protected under MasterCard’s zero liability guarantee

Hamish Barwick (Computerworld)
Comments

Coles has responded to reports that its MasterCard Android app fails to properly validate cryptographic security certificates by saying that the app has “never experienced a security vulnerability.”

The app allows Coles credit card users to access their accounts via a username and password.

According to the United States based Computer Emergency Response Team (CERT), the app’s security certificate issue leaves users “vulnerable” to hackers wishing to steal their usernames and passwords. This is because cyber criminals can intercept data exchanged between the app and remote server.

CERT researcher Will Dormann named the app as vulnerable in a blog post along with apps from Microsoft and eBay.

A Coles spokesperson told Computerworld Australia that it takes the security of financial services products “very seriously.”

“We have systems in place to immediately react to the ever-changing demands of the digital environment. Our credit card app has never experienced a security vulnerability.”

The spokesperson added that the app is read only and all customer’s money is protected under MasterCard’s guarantee.

Commenting on the vulnerability, ESET security researcher, Sieng Chye Oh, said that Man-In-The-Middle (MITM) attack like the Coles one are a technique which is traditionally used to attack computer systems.

“In general, the attacker places themselves between a server/client session enabling the information to be intercepted by the malicious perpetrator. With the growth of Android adoption, it is not surprising this same technique is being used to target mobile devices,” he said in a statement.

“We suggest consumers stop using the app to access the bank service, until the issue is rectified. In addition, users should monitor their account for suspicious activities, and report anything suspicious to their bank of financial institution as soon as possible.”

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags certMasterCard InternationalColes Groupsecurity certification

More about Computer Emergency Response TeameBayMicrosoft

Show Comments
[]