Evaluation of computer vulnerabilities in QR codes of the “Wallink” mobile banking application

  • Carlos Fajardo Universidad Católica de Cuenca | Cuenca | Ecuador |
  • Marco Yamba-Yugsi Universidad Católica de Cuenca | Cuenca | Ecuador |
  • Eduardo Mauricio Campaña Ortega Universidad Católica de Cuenca | Cuenca | Ecuador |
DOI: https://doi.org/10.46652/rgn.v9i41.1287
Keywords: Cybersecurity; Financial Applications; Vulnerabilities; Risk Analysis; Authentication.

Abstract

The growth of financial banking in Ecuador has been evidenced by the digitalization of its services, which brings with it new cybersecurity challenges. Mobile banking applications use various authentication methods, such as QR codes, which may present vulnerabilities that must be discovered to avoid being exploited by cybercriminals. This research aimed to evaluate the security of QR codes in the mobile banking application “Wallink” by applying the security testing methodology of the National Institute of Standards and Technology's SP 800-115 standard. A total of 672 QR codes were generated over six days for decoding, pattern and encryption analysis, as well as static and dynamic analysis of the application. The results revealed a constant prefix “PHIQR” followed by 48 characters, which could represent an initial entropy reduction vulnerability. A 95.17% probability that the codes use polyalphabetic substitution was determined. The static analysis obtained a medium risk score (46/100), identifying vulnerabilities such as the “Janus exploit” and permissions considered excessive. The dynamic analysis showed an adequate configuration of TLS/SSL protocols, but inappropriate storage practices. These findings allowed the risk level to be measured at 2.83/5, determining a medium risk for the use of QR codes. The risk assessment underscores the importance of strengthening security through more robust encryption algorithms and better secure development practices.

Downloads

Download data is not yet available.

Metrics

Metrics Loading ...

References

Asociación de Bancos Privados del Ecuador [ASOBANCA]. (2022). El avance de la banca digital en Ecuador. https://lc.cx/kZP0Q-

Bhosale, V. P., Naik, P. G., Desai, S. B., & Patekar, P. (2023). Secure QR Code Transactions Using Mobile Banking App. In: T. Senjyu, C. So-In, A. Joshi, (eds). Smart Trends in Computing and Communications. (pp. 35–46). Springer. https://doi.org/10.1007/978-981-99-0838-7_4

Carbó-Valverde, S., Cuadros-Solas, P. J., & Rodríguez-Fernández, F. (2020). The Effect of Banks’ IT Investments on the Digitalization of their Customers. Global Policy, 11(1), 9–17. https://doi.org/10.1111/1758-5899.12749

Chatzoglou, E., Kambourakis, G., & Kouliaridis, V. (2021). A multi-tier security analysis of official car management apps for android. Future Internet, 13(3), 1–35. https://doi.org/10.3390/fi13030058

Di Nocera, F., Tempestini, G., & Orsini, M. (2023). Usable Security: A Systematic Literature Review. Information, 14(12), 641. https://doi.org/10.3390/info14120641

Focardi, R., Luccio, F. L., & Wahsheh, H. A. M. (2019). Usable security for QR code. Journal of Information Security and Applications, 48. https://doi.org/10.1016/j.jisa.2019.102369

Idris, M., Syarif, I., & Winarno, I. (2022). Web Application Security Education Platform Based on OWASP API Security Project. EMITTER International Journal of Engineering Technology, 10(2), 246–261. https://doi.org/10.24003/emitter.v10i2.705

Kopal, N. (2018). Solving Classical Ciphers with CrypTool 2. Proceedings of the 1st Conference on Historical Cryptology, 29–38. https://lc.cx/ZvacDy

Kusreynada, S. U., & Barkah, A. S. (2024). Android Apps Vulnerability Detection with Static and Dynamic Analysis Approach using MOBSF. Journal of Computer Science and Engineering, 5(1), 46–63. https://doi.org/10.36596/jcse.v5i1.789

National Institute of Standards and Technology [NIST]. (2008). Technical Guide to Information Security Testing and Assessment. https://doi.org/10.6028/NIST.SP.800-115

Pernpruner, M., Carbone, R., Sciarretta, G., & Ranise, S. (2023). An Automated Multi-Layered Methodology to Assist the Secure and Risk-Aware Design of Multi-Factor Authentication Protocols. IEEE Transactions on Dependable and Secure Computing, 21(4), 1935-1950. https://doi.org/10.1109/TDSC.2023.3296210

Superintendencia de Economía Popular y Solidaria [SEPS]. (2023). Resolución Nro. SEPS-IGT-IGS-INSESF-INR-INGINT-INSEPS-009. In Superintendencia de Economía Popular y Solidaria. https://lc.cx/K9JVNW

Surya, S., Jagtap, S. R., Ramnarayan, R., Priyadarshini, M., Ibrahim, R. K., & Alazzam, M. B. (2023). Protecting Online Transactions: A Cybersecurity Solution Model. 3rd International Conference on Advance Computing and Innovative Technologies in Engineering. https://doi.org/10.1109/ICACITE57410.2023.10183282

Wang, Y., Shen, Y., Su, C., Ma, J., Liu, L., & Dong, X. (2020). CryptSQLite: SQLite with High Data Security. IEEE Transactions on Computers, 69(5), 666–678. https://doi.org/10.1109/TC.2019.2963303

Zhou, Y., Hu, B., Zhang, Y., & Cai, W. (2021). Implementation of Cryptographic Algorithm in Dynamic QR Code Payment System and Its Performance. IEEE Access, 9, 122362–122372. https://doi.org/10.1109/ACCESS.2021.3108189

Published
2024-08-31
How to Cite
Fajardo, C., Yamba-Yugsi, M., & Campaña Ortega, E. M. (2024). Evaluation of computer vulnerabilities in QR codes of the “Wallink” mobile banking application. Religación, 9(41), e2401287. https://doi.org/10.46652/rgn.v9i41.1287
Issue
Vol. 9 No. 41 (2024): Regular Issue 41
Section
Engineering

Copyright (c) 2024 Carlos Fajardo, Marco Yamba-Yugsi, Eduardo Mauricio Campaña Ortega

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Crossref
Scopus
Google Scholar
Europe PMC