Massive security vulnerabilities detected in fintech N26’s app

The Berlin-based fintech N26 finally received their banking license and $40 million (38.5 million euros) in funding in a Series B round. This was the highlight of 2016.

Otherwise the year was a nightmare for the banking startup: Security vulnerabilities were discovered in the N26 credit card. The startup cancelled hundreds of accounts which caused considerable backlash from customers. The company’s tech head, Christian Rebernik, also left the company in 2016 and N26 is still struggling to move customer accounts away from Wirecard, their former banking partner. It is safe to say that the new year cannot come soon enough for the fintech.

But before it does the company will have to face one more hurdle.

At the end of December, an IT security expert, Vincent Haupert from the University of Erlangen-Nuremberg, will show massive security gaps within the N26 app, which he claims are inherent to the app’s infrastructure, at the yearly Chaos Communication Congress hosted by the Chaos Computer Club (CCC).  He named the presentation “Shut up and Take My Money! - The Red Pill of N26 Security,”

Access to customer data, manipulable transactions

n26-iphone-screen-login-copyHaupert will show that it is possible to manipulate transfers via the N26 app and to take over entire accounts, which would give one the ability to feasibly complete every type of transaction. And all of this “regardless of the device.” He would have access to private customer information and be in the position to manipulate real time transactions, he said. These are “severe vulnerabilities,” it was said in a short description about his presentation scheduled for the end of this month.

The technical details of how he hacked the app will first be shared during the presentation, but Haupert informed the startup about the security flaws at the end of September. A N26 spokeswoman confirmed that “he brought multiple vulnerabilities to the attention of N26.”

Was the startup able to stop the security breaches? The spokeswoman said: “We went after these specific scenarios and more than a million transactions. Up until now we have not experienced any damages, even those executed by Vincent Haupert.”

The company released a detailed blog post saying they “identified and fixed all potential vulnerabilities,” demonstrated by the security researcher.

N26 plans to establish a Bug Bounty Program

Despite the blog post stating all vulnerabilities have been identified, if not fixed,  the startup stepping up its security.

In the coming weeks N26 wants to establish a Bug Bounty program, which lets individuals who detect vulnerabilities on their site or app receive compensation or recognition.

Companies like Facebook, Microsoft and Google have implemented similar programs.

The fact that he discovered security issues at a young Fintech startup as opposed to a traditional bank is no surprise to Haupert.

Companies breaking into the finance world for the first time place a lot of emphasis on mobile technology. This “Mobile First” strategy, which often focuses on “a hip design and user experience” instead of security, “is rewarded by rapidly increasing customer numbers,” but “reveals a flawed understanding of security.”

But that’s not to say traditional banks are safe. Last year Haupert caused a commotion at CCC when he showed that the Sparkasse banking app could be cracked and transfers could be made – if the banking and TAN apps were downloaded on the same smart phone.


This article was originally published on Gruenderszene.

Translation by Christine G. Coester

Photos via N26

Follow The Heureka on:

In Kooperation mit