Free burp in Intesa Sanpaolo Bank

Il Go Go Bank is served

The other day I walked into my local branch of Intesa Sanpaolo Bank to withdraw money from the ATM, when suddenly my cell phone made a sound similar to a burp of biblical proportions. As more customers came in, they also sounded like they were freely burping Go Go Bank¹.

The facts

Emerge Tools reports that there are problems with the Intesa Sanpaolo bank application, in particular regarding the excessive size of the app, which is about 700 MB. This space is occupied by resources and useless functional frameworks, in addition, an unexpected surprise was found: a file called burp.mp3.

REMEMBER: the more source code and third-party applications there are, the more vulnerable the IT infrastructure is.

There is a lot of talk about security, but technologies are adopted that were not developed internally by the bank IT. Furthermore, the use of superfluous technologies compromises the security of the technological infrastructure. And then… where are the controls?

We cannot rule out that burp.mp3 could masquerade as a harmless file and act as a Trojan horse, as well as any other small and seemingly insignificant line of code that could contain security vulnerabilities.

You can find numerous articles on the subject, which focus on the joking content of the programmer and the presence of an easter egg . However, the issue is much more serious: a data breach occurred, because inside the app there was a photo of a MAV bulletin of a customer, containing all his personal data.

Therefore, the burp.mp3 file is just a decoy, while a real data breach (Data Breach) has been highlighted within the app.

Emerge Tools - content where it is evident the presence of the burp.mp3².

Emerge Tools - content photo_300kb.txt, which turned out to be a base64² encoded image.

The Privacy Guarantor intervenes

On the one hand, the bank downplays the situation, while the Privacy Guarantor does not agree and has given Intesa San Paolo 20 days to inform customers who have suffered the data breach.

The Authority believes, in fact, differently from what was assessed by the Bank, that the violation of personal data presents a high risk for the rights and freedoms of the people involved, taking into account the nature of the violation, the categories of data processed, the seriousness and the consequences that could derive from it (e.g., the disclosure of information regarding the financial status, reputational damage).

The measure was necessary because the extent of the violation had not been adequately highlighted in the first communications sent by the Bank to the Guarantor, as instead later emerged both from press articles and from the feedback provided by the Bank itself.

The Guarantor, which reserves the right to evaluate the adequacy of the security measures adopted in the context of an investigation currently underway, has also ordered the Bank to send the Authority, within thirty days, adequately documented feedback on the initiatives undertaken in order to fully implement the provisions. Source: Garante privacy

Are we all calm?

At this point the Banca Intesa app deserves a little check using the methods already explained in the interesting article that I invite you to read The meal voucher scam .

Tracker Presence Analysis

The trackers present in the Apps can be verified by the Exodus application downloadable from F-Droid, Exodus will show for each installed application the permissions it requests and the possible presence of tracking elements.

What Trackers Do

Below are the Trackers used numbered and listed with a brief description of their features.

1. AltBeacon - Allows Android devices to use beacons just like iOS devices. An app can request to receive notifications when one or more beacons appear or disappear. An app can also request to get a range update from one or more beacons. It also allows Android devices to send beacon broadcasts, even in the background. For more information, read the article Beacon is not Bacon and is bad for privacy .
2. Dynatrace [analytics] tracker web page .
3. Google CrashLytics [crash reporting] tracker web page .
4. Google Firebase Analytics [analytics] tracker web page - Firebase offers analytics, database, messaging, crash reporting capabilities.
5. Salesforce Marketing Cloud [marketing]tracker web page - MobilePush lets you create and send targeted push messages based on cross-channel consumer data to encourage app usage and deliver increased ROI. With MobilePush, you’ll see how users navigate through your app. From the products they view to the amount of time spent on each page, get a window into how users interact with your app across their smartphones and tablets. Because MobilePush is built on the Marketing Cloud.
6. Tealium [analytics] tracker web page .

Analysis of the connections

There are two applications available that allow you to analyze data traffic (interview with servers: domain and IP address):

1. PCAPdroid - is a privacy app that allows you to monitor and analyze connections made by other apps on your device.
2. Rethink: DNS + Firewall + VPN for the monitoring part, it keeps tabs on incoming and outgoing Internet traffic.

The result obtained is horrifying: our data is exposed outside the European Union precisely because there are so many useless elements, such as trackers and the like. Guarantor, what are you doing? Are you allowing our data to go outside the European Union? By doing so, even the Italian banking system is controlled, in addition to us humble customers. Tomorrow, the analysis of the same will define the degree of solvency of a banking institution of a nation, based on our installed apps.

Rethink - conversation with servers before authentication Bank Intesa app the domains queried are overwhelmingly in the United States.

All’s well that ends well

Not really because the app system needs to be REFORMED especially if it concerns sensitive individual and national data.

See you next time with the Bank of filth with the free fart.