Confessions of an ethical hacker

Tony Meholic | Information Security | 10/15/2015 2:48 PM

I always get a curious look and there’s often an uncomfortable pause whenever I tell someone that I’m an ethical hacker. I guess it’s because “ethical” and “hacker” seem to be contradictory terms to most people. But in the security realm, ethical hackers like me are highly recognized as being vital to securing web sites, applications and networks that face the general public.

Ethical hackers are used to test the security of our infrastructure and applications by attacking them as a malicious hacker would. The reasoning is that if we, the “good” hackers, can find weaknesses and vulnerabilities, we can take steps to close these openings and safeguard corporate assets before any “bad” hackers can exploit them.

As an ethical hacker, I’ve been performing these types of tests for many years and have seen some pretty interesting examples of hacking. One time I recognized that someone had discovered the weakness in the reservation system of a popular restaurant; the hacker managed time and time again to move their name to the top of the waiting list. In another instance I saw that people had discovered a hole in a hotel’s reservation system and were deleting charges not only for room service and the minibar, but for entire nights’ stays. Creative – yes. But also criminal.

One of the best examples of how beneficial ethical hacking can be happened just recently when our team of consultants were called in to test a mobile banking application for another financial institution. This mobile application is offered by one of the largest bank processors and is used by thousands of banks in the United States. The app allows customers to conduct their banking activities through their smartphone or tablet. After the initial security review was performed, the processor stated that no vulnerabilities were found and no customer account data was stored on the phone. The processor was so confident in the security of the app that they asked us at The Bancorp to conduct our own “ethical hacking” test.

Within the first 10 minutes of our examination, our team discovered that contrary to what had been claimed, the application did in fact store the account information (account number, user ID and password) on the device in clear text. Even worse, the information was stored in such a way that it was accessible to anyone who had physical access to the device and that other installed applications could also access this data. Without the customer’s knowledge, their credentials could have been compromised if they had downloaded the app on their phone. The processor was unaware of this when we revealed our findings; after confirming this major security issue, they updated the application to close these vulnerabilities.

While this prevented future users of the application from having their credentials exposed, it also uncovered the fact that hundreds of thousands of bank customers who used this app prior to our test could have had their account information compromised. But by the time the weakness was discovered, it wasn’t possible to determine if any of these customers had experienced fraud or ID theft. This may be worrying and perhaps even bad news for some of these customers, but uncovering what made them vulnerable serves as a great example why ethical hackers like me should be embraced.

The opinions, findings, or perspectives expressed in this content are those of the author and do not reflect the official policy or position of The Bancorp, Inc., its affiliates, or its or their employees.