{"id":7558,"date":"2016-04-22T16:55:10","date_gmt":"2016-04-22T14:55:10","guid":{"rendered":"https:\/\/ihs.com.tr\/blog\/?p=7558"},"modified":"2018-10-03T16:56:01","modified_gmt":"2018-10-03T14:56:01","slug":"mobil-bankacilik-uygulamalari-raporu","status":"publish","type":"post","link":"https:\/\/www.ihs.com.tr\/blog\/mobil-bankacilik-uygulamalari-raporu\/","title":{"rendered":"Mobil Bankac\u0131l\u0131k Uygulamalar\u0131 Raporu"},"content":{"rendered":"

Hepimiz g\u00fcnde en az bir defa m\u00fc\u015fterisi oldu\u011fumuz bankan\u0131n mobil uygulamas\u0131n\u0131 kullan\u0131yoruzdur. \u00dcstelik bilgisayar\u0131m\u0131zdan giri\u015f yaparken oldu\u011fu kadar da dikkat g\u00f6stermiyoruz. Peki mobil bankac\u0131l\u0131k uygulamalar\u0131 ne kadar g\u00fcvenilir? Yaz\u0131m\u0131zdaki sonu\u00e7lar sizi \u00e7ok \u015fa\u015f\u0131rtacak!<\/span><\/p>\n

Telefonumuzda ya da tabletimizde her g\u00fcn mutlaka kulland\u0131\u011f\u0131m\u0131z uygulamalardan biri de m\u00fc\u015fterisi oldu\u011fumuz bankan\u0131n ya da bankalar\u0131n mobil uygulamalar\u0131. Onlara kimi zaman yolda, kimi zaman arabada giri\u015f yap\u0131yor ve neredeyse hi\u00e7bir zaman da g\u00fcvenliklerini sorgulam\u0131yoruz. Oysa ki yapmam\u0131z gereken tam da bu. \u00c7\u00fcnk\u00fc bu uygulamalar zannetti\u011fimiz kadar g\u00fcvenli olmayabilir.<\/span><\/p>\n

Yaz\u0131m\u0131za konu olan g\u00fcvenlik testleri Android ve iOS olmak \u00fczere iki farkl\u0131 kategoride ger\u00e7ekle\u015ftirildi. G\u00fcvenlik ve veri s\u0131z\u0131nt\u0131 zaafiyetleri ise i\u015fletim sistemi ve uygulama kaynakl\u0131 olmak \u00fczere iki kategoriye ayr\u0131ld\u0131. S\u0131ras\u0131 ile man-in-the-middle, data-at-rest, credential, mobile malware test edildi.<\/span><\/p>\n

\"mobil-bankacilik\"<\/span><\/p>\n

Mobil bankac\u0131l\u0131k uygulamalar\u0131n\u0131n %60\u2019\u0131 sald\u0131r\u0131ya a\u00e7\u0131k!<\/strong> <\/span>
\nIHS Telekom<\/a> G\u00fcvenlik Laboratuar\u0131 taraf\u0131ndan \u015eubat 2016\u2019da yap\u0131lan zaafiyet testi sonu\u00e7lar\u0131na g\u00f6re T\u00fcrkiye\u2019nin en \u00f6nemli on bankas\u0131ndan alt\u0131s\u0131n\u0131n mobil bankac\u0131l\u0131k uygulamas\u0131 g\u00fcvenlik zaafiyetleri i\u00e7eriyor. Bu zaafiyetlerden yararlan\u0131larak ger\u00e7ekle\u015ftirilebilecek fraud sald\u0131r\u0131lar\u0131 ciddi kay\u0131plara yol a\u00e7abilir. ‘Kullan\u0131c\u0131 ad\u0131 ve \u015fifre h\u0131rs\u0131zl\u0131\u011f\u0131<\/strong>\u2019, kimlik ve kredi kart\u0131 bilgilerini<\/a> \u00e7alabilecek sald\u0131r\u0131lar, mobil cihazda depolanm\u0131\u015f data\u2019n\u0131n ‘\u00e7al\u0131nmas\u0131\u2019 bu risklerin en \u00f6nemlileri olarak g\u00f6ze \u00e7arp\u0131yor.<\/span><\/p>\n

Tespit edilen zaafiyetler \u00e7er\u00e7evesinde, sorunlu uygulamalarda kullan\u0131c\u0131lar\u0131n mahremiyeti tehdit alt\u0131nda g\u00f6r\u00fcn\u00fcyor. Bu zaafiyetlerin mobil bankac\u0131l\u0131k kanal\u0131na olan g\u00fcvenin sars\u0131lmas\u0131 y\u00f6n\u00fcnde ciddi sonu\u00e7lar\u0131 olabilir. \u00d6zellikle mobil bankac\u0131l\u0131k kanal\u0131n\u0131n, masa\u00fcst\u00fc internet bankac\u0131l\u0131\u011f\u0131n\u0131n \u00f6n\u00fcne ge\u00e7meye ba\u015flad\u0131\u011f\u0131 bir d\u00f6nemde, her t\u00fcr riskin de\u011ferlendirilmesi son derece \u00f6nemli. <\/span><\/p>\n

Mobil bankac\u0131l\u0131k uygulamalar\u0131ndaki g\u00fcvenlik zaafiyetleri ile ilgili olarak\u00a0 IHS Telekom Genel M\u00fcd\u00fcr Yard\u0131mc\u0131s\u0131 B\u00fclent \u00d6zkan<\/strong>\u2019\u0131n a\u00e7\u0131klamalar\u0131 ise sekt\u00f6re ger\u00e7ek\u00e7i bir uyar\u0131 niteli\u011finde: \u201cBu ara\u015ft\u0131rma sonu\u00e7lar\u0131 bankac\u0131l\u0131k sekt\u00f6r\u00fcm\u00fcz i\u00e7in, ciddiye al\u0131nmas\u0131 gereken \u00f6nemli bir uyar\u0131. Bankalar\u0131m\u0131z hizmet ve g\u00fcvenliklerinin d\u00fcnya standartlar\u0131nda oldu\u011funu ispatlamak i\u00e7in \u00e7ok \u00e7al\u0131\u015f\u0131yorlar. Mobil bankac\u0131l\u0131k, sekt\u00f6r\u00fcn gelece\u011fi konumunda ve biz de firma olarak bankac\u0131l\u0131k sekt\u00f6r\u00fcndeki m\u00fc\u015fterilerimize en iyi g\u00fcvenli\u011fi sa\u011fl\u0131yoruz<\/strong>.\u201d<\/span><\/p>\n

R\u0130SK VAR AMA \u00c7\u00d6Z\u00dcM ZOR DE\u011e\u0130L<\/strong> <\/span>
\nYap\u0131lan ara\u015ft\u0131rma \u00fclkemizdeki mobil bankac\u0131l\u0131k uygulamalar\u0131n\u0131n \u00e7o\u011funlu\u011funun g\u00fcvenlik a\u00e7\u0131klar\u0131 oldu\u011funu ve bu sebeple kullan\u0131c\u0131lar\u0131n risk alt\u0131nda oldu\u011funu ortaya koymu\u015f durumda.<\/span><\/p>\n

Mobil bankac\u0131l\u0131k uygulamalar\u0131 i\u00e7in en b\u00fcy\u00fck riskler aras\u0131nda man-in-the-middle attacks, data-at-rest theft, mobile malware and Android and iOS vulnerability exploits bulunuyor. Banka m\u00fc\u015fterileri bu uygulamalar\u0131 indirirken, finansal bilgilerinin risk alt\u0131nda oldu\u011funun fark\u0131nda de\u011fil. \u0130lgi \u00e7ekici noktalardan biri de g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n jailbreak veya root edilmemi\u015f, \u00fcretici taraf\u0131ndan desteklenen i\u015fletim sistemlerinde de g\u00f6r\u00fcl\u00fcyor olmas\u0131.<\/span><\/p>\n

Credential Theft<\/strong> <\/span>
\nKullan\u0131c\u0131n\u0131n cep telefonuna indirdi\u011fi bir profil veya rogue uygulama ile mobil uygulama \u00fczerinde kullan\u0131c\u0131n\u0131n giri\u015f yapt\u0131\u011f\u0131 kullan\u0131c\u0131 ad\u0131 veya \u015fifre bilgisi elde edilebiliyor. Buna mobil ve\u00a0online bankac\u0131l\u0131k sistemlerine girerken kulland\u0131\u011f\u0131m\u0131z \u015fifreler ve bu \u015fifreleri \u00fcretmek i\u00e7in kulland\u0131\u011f\u0131m\u0131z paralolar da dahil.
\n<\/span><\/p>\n

Man-in-the-Middle<\/strong>
\nBu sald\u0131r\u0131 tekni\u011fi ile mobil uygulama ile banka aras\u0131ndaki ileti\u015fimin aras\u0131na girilip, mobil uygulamas\u0131n\u0131n<\/a> i\u00e7erisindeki linkler de\u011fi\u015ftirilebiliyor ve normal \u015fartlarda uygulama i\u00e7erisinde var olmayan i\u00e7erikler kullan\u0131c\u0131lara g\u00f6sterilebiliyor. Sald\u0131rgan bu \u015fekilde kullan\u0131c\u0131n\u0131n anne k\u0131zl\u0131k soyad\u0131, TC. kimlik numaras\u0131, kredi kart\u0131 ve online bankac\u0131l\u0131k \u015fifresi gibi bilgilerini uygulama \u00fczerinden kullan\u0131c\u0131ya sorarak elde edebiliyor.
\n<\/span>
\nData-at-Rest Theft<\/strong>
\nBu sald\u0131r\u0131 tekni\u011fi mobil uygulamaya ait baz\u0131 kodlar\u0131n, veritaban\u0131 scriptlerinin ve dosyalar\u0131n, sald\u0131rgan taraf\u0131ndan eri\u015filebilir olmas\u0131n\u0131 sa\u011fl\u0131yor. B\u00f6ylece sald\u0131rgan kullan\u0131c\u0131n\u0131n g\u00f6remedi\u011fi ancak uygulaman\u0131n i\u00e7erisinde yer alan baz\u0131 hassas bilgilere eri\u015febiliyor.
\n<\/span>
\nMobile Malware<\/strong>
\nMobil malware’ler farkl\u0131 teknikler ile kullan\u0131c\u0131dan ve mobil uygulamadan bilgi toplama yetene\u011fine sahip. Mobile Malware\u2018ler bankaya \u00f6zel geli\u015ftirilebilir. Bunun i\u00e7in sald\u0131rganlar\u0131n, tek bir bankan\u0131n mobil uygulamas\u0131n\u0131 hedef alacak yaz\u0131l\u0131m\u0131 \u00fcretmesi ve yaymas\u0131 gerekiyor. Sald\u0131r\u0131 y\u00fczeyinin darald\u0131\u011f\u0131 ve yap\u0131lacak i\u015f miktar\u0131n\u0131n artt\u0131\u011f\u0131 bu teknik yerine sald\u0131rganlar daha \u00e7ok t\u00fcm cep telefonlar\u0131nda \u00e7al\u0131\u015fan ve t\u00fcm bankalar\u0131 hedef alacak olan SMS forwarding<\/strong> (SMS y\u00f6nlendirme) tekni\u011fini tercih ediyor. Bu senaryoda mobil ve online bankac\u0131l\u0131k uygulamas\u0131na girerken kullan\u0131lan ikinci factor do\u011frulama bilgisi, kullan\u0131c\u0131n\u0131n mobil cihaz\u0131nda kurulu olan bir uygulama ile farkl\u0131 numaralara y\u00f6nlediriliyor. Bu sald\u0131r\u0131 tipi daha \u00e7ok Android cihazlarda g\u00f6r\u00fcl\u00fcyor.
\n<\/span>
\nOnda alt\u0131 gibi bir oran\u0131n \u00e7ok y\u00fcksek oldu\u011funa dikkat \u00e7eken, IHS Telekom Genel M\u00fcd\u00fcr Yard\u0131mc\u0131s\u0131 B\u00fclent \u00d6zkan<\/strong>, T\u00fcrkiye\u2019deki lider bankalar\u0131n %40 oran\u0131nda birbirine benzeyen g\u00fcvenlik a\u00e7\u0131klar\u0131 bar\u0131nd\u0131rd\u0131\u011f\u0131n\u0131 ancak karamsar olmamak gerekti\u011fini s\u00f6yl\u00fcyor. Bunun sebebini ise \u015f\u00f6yle a\u00e7\u0131kl\u0131yor: ‘Mobil bankac\u0131l\u0131k uygulamalar\u0131n\u0131n g\u00fcvenli\u011fi yeni ye\u015feren bir kavram. D\u00fcnya \u00e7ap\u0131ndaki lider bankalar da ge\u00e7ti\u011fimiz y\u0131llarda benzer g\u00fcvenlik a\u00e7\u0131klar\u0131 ile kar\u015f\u0131la\u015ft\u0131lar, hala bir\u00e7ok uluslararas\u0131 bankan\u0131n mobil bankac\u0131l\u0131k uygulamas\u0131nda<\/strong> benzer zaafiyetler bulunuyor. <\/span>
\nBu a\u015famada h\u0131zl\u0131 ve do\u011fru kararlar al\u0131p, uygun teknolojilerle mobil uygulamalar\u0131n g\u00fcvenli\u011fi sa\u011flanabilir. Bu yolla muhtemel riskler bertaraf edilmi\u015f olacakt\u0131r.’<\/span><\/p>\n

Bu ara\u015ft\u0131rma IHS Telekom Spam Dergi Q1 2016 Say\u0131s\u0131nda yay\u0131nlanm\u0131\u015ft\u0131r. Spam Dergiyi<\/a> dilerseniz online okuyabilirsiniz.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Hepimiz g\u00fcnde en az bir defa m\u00fc\u015fterisi oldu\u011fumuz bankan\u0131n mobil uygulamas\u0131n\u0131 kullan\u0131yoruzdur. \u00dcstelik bilgisayar\u0131m\u0131zdan giri\u015f yaparken oldu\u011fu kadar da dikkat g\u00f6stermiyoruz. Peki…<\/p>\n","protected":false},"author":3,"featured_media":7559,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7558","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-haberler"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/7558","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=7558"}],"version-history":[{"count":1,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/7558\/revisions"}],"predecessor-version":[{"id":7561,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/posts\/7558\/revisions\/7561"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/media\/7559"}],"wp:attachment":[{"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=7558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=7558"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ihs.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=7558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}