{"id":830,"date":"2014-01-21T10:26:25","date_gmt":"2014-01-21T15:26:25","guid":{"rendered":"http:\/\/www.kaspersky.com.tr\/blog\/?p=830"},"modified":"2017-09-21T14:45:00","modified_gmt":"2017-09-21T11:45:00","slug":"830-mobil-bankacilik-uygulamalari-deliklerle-dolu","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/830-mobil-bankacilik-uygulamalari-deliklerle-dolu\/830\/","title":{"rendered":"Mobil Bankac\u0131l\u0131k Uygulamalar\u0131 Deliklerle Dolu"},"content":{"rendered":"<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2014\/01\/06015230\/bank_fb.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-832\" alt=\"bank_fb\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/91\/2014\/01\/06015230\/bank_fb.png\" width=\"403\" height=\"403\"><\/a>D\u00fcnyan\u0131n en bilinen bankalar\u0131na ait ve geni\u015f kullan\u0131c\u0131 kitlesine sahip iOS bankac\u0131l\u0131k uygulamalar\u0131ndan baz\u0131lar\u0131 kullan\u0131c\u0131 bilgilerini a\u00e7\u0131\u011fa \u00e7\u0131karacak ve hesaplar\u0131n ele ge\u00e7irilmesine neden olabilecek g\u00fcvenlik a\u00e7\u0131klar\u0131 ta\u015f\u0131yor. Yeterli bilgi ve donan\u0131ma sahip bir sald\u0131rgan araya-girme-sald\u0131r\u0131s\u0131 y\u00f6ntemi ile kullan\u0131c\u0131y\u0131 izleyebilir, session-hijacking sald\u0131r\u0131s\u0131 ile hesab\u0131n kontrol\u00fcn\u00fc eline alabilir, sistem \u00e7\u00f6kmeleri ve veri s\u0131zmalar\u0131na neden olabilecek haf\u0131za \u00e7\u00f6kmesi problemlerine neden olabilir. Bunlar\u0131n hepsi bir araya geldi\u011finde, bir sald\u0131rgan kullan\u0131c\u0131 bilgilerini ele ge\u00e7irerek kullan\u0131c\u0131n\u0131n hesab\u0131na eri\u015febilir ve doland\u0131r\u0131c\u0131l\u0131k yapabilir.<!--more--><\/p>\n<p>IOActive firmas\u0131nda \u00e7al\u0131\u015fan Arjantinli ara\u015ft\u0131rmac\u0131 Ariel Sanchez, D\u00fcnyadaki 60 en b\u00fcy\u00fck bankan\u0131n 40 mobil bankac\u0131l\u0131k uygulamas\u0131 \u00fczerinde \u00e7e\u015fitli testler ger\u00e7ekle\u015ftirdi. Bu testler uygulamalar\u0131n g\u00fcvenlik analizlerini kapsayan, veri transfer mekanizmalar\u0131, kullan\u0131c\u0131 arabirimleri, depolama prosesleri ile derleyicileri ve \u00e7al\u0131\u015ft\u0131r\u0131larbilir dosyalar\u0131 gibi karma\u015f\u0131k konulardan olu\u015fuyor.<\/p>\n<p>Sanchez bu testler sonucunda bir miktar g\u00fcvenlik a\u00e7\u0131\u011f\u0131na rastlad\u0131.<\/p>\n<p>\u201cDo\u011fru yeteneklere sahip birisi, potansiyel hatalar\u0131 ortaya \u00e7\u0131karabilir ve ard\u0131ndan biraz ara\u015ft\u0131rma ile g\u00fcvenlik a\u00e7\u0131\u011f\u0131na sahip uygulamalar\u0131n kullan\u0131c\u0131lar\u0131n\u0131n hesaplar\u0131n\u0131 ele ge\u00e7irecek zararl\u0131 yaz\u0131l\u0131mlar geli\u015ftirebilir\u201d diyor Sanchez.<\/p>\n<p>Bu g\u00fcvenlik a\u00e7\u0131\u011f\u0131 bankan\u0131n geli\u015ftirme altyap\u0131s\u0131na eri\u015fim sa\u011flamak i\u00e7in kullanabilir ve uygulamaya bula\u015ft\u0131r\u0131lacak zararl\u0131 yaz\u0131l\u0131m ile bu uygulamay\u0131 kullanan t\u00fcm kullan\u0131c\u0131lar\u0131n etkilenece\u011fi toplu bir sald\u0131r\u0131 ger\u00e7ekle\u015ftirilebilir.<\/p>\n<p>IOActive bu g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 ilgili bankalara ilettiklerini belirtiyor. Ancaj Sanchez, bu g\u00fcne kadar hen\u00fcz hi\u00e7 bir bankadan bu g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 yamad\u0131klar\u0131na dair bir bilginin kendilerine ula\u015fmad\u0131\u011f\u0131n\u0131 s\u00f6yl\u00fcyor.<\/p>\n<p>Sanchez ger\u00e7ekle\u015ftirdi\u011fi testler s\u0131ras\u0131nda kendisini en \u00e7ok endi\u015felendiren \u015feyin uygulamalar\u0131n \u00e7al\u0131\u015ft\u0131r\u0131labilir programlar\u0131 i\u00e7in g\u00f6m\u00fcl\u00fc buluanan geli\u015ftirme referanslar\u0131 oldu\u011funu belirtiyor. Di\u011fer bir deyi\u015fle, pek \u00e7ok g\u00fcvenlik a\u00e7\u0131\u011f\u0131na sahip bankac\u0131l\u0131k uygulamalar\u0131 ay\u0131rt edilebilir ana anahtarlar bar\u0131nd\u0131r\u0131yor. Bunlar geli\u015ftirmecilere uygulaman\u0131n altyap\u0131s\u0131na eri\u015fme imkan\u0131 sa\u011flamak i\u00e7in konulmu\u015f. Ancak ne yaz\u0131k ki bu g\u00f6m\u00fcl\u00fc referanslar sald\u0131rganlara da ayn\u0131 eri\u015fim seviyesini sa\u011flayabilir.<\/p>\n<p>Problemin bir b\u00f6l\u00fcm\u00fc pek \u00e7ok uygulaman\u0131n kullan\u0131c\u0131lara kriptolanmam\u0131\u015f linkler g\u00f6ndermesinden veya bilgi kriptolanm\u0131\u015f ise d\u00fczg\u00fcn bir \u015fekilde SSL sertifikalar\u0131 ile do\u011frulayamamas\u0131ndan kaynaklan\u0131yor. Sanchez, uygulamalar\u0131n bu davran\u0131\u015f\u0131 nedeniyle uygulama geli\u015ftiricilerin kullan\u0131c\u0131lar\u0131 araya-girme-sald\u0131r\u0131lar\u0131n\u0131n neden olaibliece\u011fi, zararl\u0131 javascript, HTML enjekte etme veya oltalama sald\u0131r\u0131lar\u0131 ile kar\u015f\u0131 kar\u015f\u0131ya b\u0131rakt\u0131\u011f\u0131n\u0131 iddia ediyor.<\/p>\n<p>Sanchez taraf\u0131ndan ortaya \u00e7\u0131kar\u0131lan bu ger\u00e7ekler, bankalar\u0131n y\u00fczde 70\u2019den fazlas\u0131n\u0131n iki fakt\u00f6rl\u00fc kimlik do\u011frulama testlerinden ge\u00e7emedi\u011fini g\u00f6steriyor.<\/p>\n<p>Sanchez ayr\u0131ca, \u201cTek ihtiyac\u0131n\u0131z olan uygulaman\u0131n \u00e7al\u0131\u015ft\u0131r\u0131labilir dosyas\u0131, kriptoyu \u00e7\u00f6zecek ve kodu ayr\u0131\u015ft\u0131racak ara\u00e7lar. Bu uygulamalara ait kodlar\u0131n kriptosunu nas\u0131l \u00e7\u00f6zece\u011finizi ve kodlar\u0131 nas\u0131l ayr\u0131\u015ft\u0131raca\u011f\u0131n\u0131z\u0131 anlatan y\u00fczlerce makale internet \u00fczerinde dola\u015f\u0131yor. Yeterli tecr\u00fcbesi olmasa bile vakti olan biri bu makaleleri kolayca izleyerek sonuca ula\u015fabilir\u201d diye ekliyor.<\/p>\n<p>IOActive ara\u015ft\u0131rmas\u0131n\u0131n hem iyi hem k\u00f6t\u00fc (a\u011f\u0131rl\u0131kl\u0131 olarak iyi) y\u00f6nleri var.<br>\n\u0130yi y\u00f6n\u00fcnden bak\u0131ld\u0131\u011f\u0131nda, bankalar\u0131n isimlerini ve bulduklar\u0131 g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 \u2013 sald\u0131rganlar\u0131n kolayca hedeflerini belirlemesini engellemek i\u00e7in \u2013 a\u00e7\u0131klam\u0131yorlar. K\u00f6t\u00fc y\u00f6n\u00fcnden bak\u0131ld\u0131\u011f\u0131dna ise hangi bankalara ait hangi uygulamalar\u0131n g\u00fcvenlik a\u00e7\u0131\u011f\u0131na sahip oldu\u011funu bilmiyoruz. Bu nedenle de kime g\u00fcvenip kime g\u00fcvenmeyece\u011fimizi de bilemiyoruz.<\/p>\n<p>A\u00e7\u0131k\u00e7as\u0131, yap\u0131lmas\u0131 gereken en kolay \u015fey bu g\u00fcvenlik a\u00e7\u0131klar\u0131 bankalar taraf\u0131ndan do\u011frulan\u0131p ortadan kald\u0131r\u0131lana kadar mobil bankac\u0131l\u0131k uygulamalar\u0131n\u0131 kullanmamak. Ancak pek \u00e7o\u011fumuz bunu yapmayacak. O nedenle bu s\u00fcre\u00e7te e\u011fer bankan\u0131z destekliyorsa iki fakt\u00f6rl\u00fc kimlik do\u011frulamaya ge\u00e7melisiniz. Aksi halde bankac\u0131l\u0131k uygulaman\u0131zdaki linklere t\u0131klarken dikkatli olun, oltalama mesajlar\u0131na kar\u015f\u0131 uyan\u0131k olun ve g\u00f6z\u00fcn\u00fcz banka hesab\u0131n\u0131z\u0131n \u00fczerinde olsun.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>D\u00fcnyan\u0131n en bilinen bankalar\u0131na ait ve geni\u015f kullan\u0131c\u0131 kitlesine sahip iOS bankac\u0131l\u0131k uygulamalar\u0131ndan baz\u0131lar\u0131 kullan\u0131c\u0131 bilgilerini a\u00e7\u0131\u011fa \u00e7\u0131karacak ve hesaplar\u0131n ele ge\u00e7irilmesine neden olabilecek g\u00fcvenlik a\u00e7\u0131klar\u0131 ta\u015f\u0131yor. Yeterli bilgi ve<\/p>\n","protected":false},"author":350,"featured_media":831,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1287,1351],"tags":[502,503,751],"class_list":{"0":"post-830","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-bankacilik","10":"tag-guvenlik-acigi","11":"tag-mobil"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/830-mobil-bankacilik-uygulamalari-deliklerle-dolu\/830\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/bankacilik\/","name":"Bankac\u0131l\u0131k"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/830","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/350"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=830"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/830\/revisions"}],"predecessor-version":[{"id":3956,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/830\/revisions\/3956"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/831"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=830"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}