Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.


By Rusty Carter, VP of Product at Arxan Technologies

It’s been an eventful start to 2018 with the confirmation of Spectre and Meltdown, two security vulnerabilities of unprecedented scope just three days into the new year.

Rusty Carter, VP of Product at Arxan Technologies
Rusty Carter, VP of Product at Arxan Technologies

Between the two of them, these vulnerabilities affect all devices running all but the most recently patched versions of iOS, Android, Linux, macOS and Windows – effectively covering the vast majority of connected devices in the world and proving that there are no trusted environments for high-value apps…

The critical vulnerabilities were discovered in most Central Processing Unit (CPU) chips from major manufacturers, with Meltdown impacting Intel, while Spectre also affects ARM, and AMD. The two exploits are related, but work in different ways. Meltdown uses Intel privilege escalation, whilst Spectre uses branch prediction, but the use of speculative execution means both exploits enable attackers to gain access to sensitive information on a victim’s machine.

How do the vulnerabilities work?

To use the exploits, an attacker first needs to get code running on the target system, which could be accomplished via malware, malicious websites, or delivered by other methods such as malvertising or phishing. Once this has been achieved, the attacker will need to escalate their privileges, so they can run code on the machine, and from there they can activate the Meltdown and Spectre vulnerabilities. Information can then be revealed in the computer’s kernel memory, which includes data such as keystrokes, passwords and encryption keys.

Because the flaw that makes such an attack possible is below the operating system, the usual assumptions of safety that developers are accustomed to do not apply. Due to the vulnerabilities existing in the underlying system architecture and because they are also responsible for significant performance improvements in the processor, they can be exceptionally long-lived, providing attackers with sufficient time to develop direct attacks aimed at the hottest targets.

The financial industry is one of the most obvious targets for such an attack, particularly the mobile banking applications that are fast becoming the most common way for people to complete transactions.

Accessing the device’s memory means an attacker could pull out data for any application, including user credentials and account numbers. Armed with this information, a cybercriminal may be able to access the victim’s account and conduct a devastating level of theft or fraud.

An attacker could also target the bank itself by extracting cryptography-related items such as decryption keys and API credentials –giving them important intelligence they likely need in order to gain access to the backend systems including transaction systems and user databases.

Can the financial sector defend itself?

Worryingly, the way the vulnerabilities work means that even the most well written banking apps are exposed to loss due to Spectre and Meltdown. The most effective way for a financial organisation to protect its customers and assets from this attack is to maintain encryption of data until the moment it’s necessary, and use techniques like those that manipulate control flow and obfuscate functionality within the application itself.

While an attacker can flush out data such as usernames and account numbers, if that data is encrypted, the likelihood they will actually be able to access it when it’s in an unencrypted state is significantly reduced. Most apps in the financial space encrypt data when it is transmitted from the app to the data centre or another device. Crucially though, to minimise vulnerability to Spectre, they will also need to encrypt all data within the app itself, and only decrypt it when absolutely necessary.

Another valuable defensive measure for financial organisations is to monitor and analyse the behaviour of the app itself. Anti-tampering and anti-reverse engineering measures combined with detection and reporting capabilities can provide businesses with signals indicating that something unusual is happening.

While the vulnerabilities are currently being patched – particularly Meltdown –  the process has not been perfect, leading to performance issues and continuing to leave some devices exposed. Even if when both exploits are completely fixed however, their existence should serve as a strong warning to financial organisations about potential threats to their customers that are essentially out of their hands. Encrypting all data within the app, as well as deploying other advanced methods like anti-tamper solutions, will ensure that financial apps are best equipped to defend themselves even when the next big vulnerability rears its head.