“Dave” is one of the more successful members of a current crop of mobile banking apps that provide cash advances and other financial services outside of the traditional banking system. Or at least it was until recently. A third party data breach appears to have exposed the entirety of the app’s user base, some 7.5 million people in total.
The breach has been traced back to analytics platform Waydev, a former Dave partner. The full contents have been made freely available to the public via an underground hacking forum. Though it is a third party data breach of an analytics contractor, it appears to include nearly all the personal information that someone would use to set up and maintain a Dave account: full names, emails, birth dates, and home addresses. The breach also reportedly contains encrypted social security numbers and hashed passwords.
Third party data breach highlights the hidden risks of fintech apps
Introduced in 2017, Dave has rocketed to prominence (and a substantial user base) thanks to financial backing by celebrity investor Mark Cuban. While many of these apps focus on traditionally underbanked markets, Dave differentiates itself by focusing on overdraft protection as a central feature and has a more rigorous application process than some. It requires users to pass an income check and also examines the applicant’s checking history prior to approval.
All of this means that Dave users are trusting the platform with more information than some prepaid cards and fintech apps ask for. Dave requires ongoing access to the user’s checking account to monitor it for potential overdrafts, comparing established user spending patterns to the remaining balance and issuing warnings in advance when estimated expenses stand a chance of going over. The app also offers a form of payday loan when an overdraft is anticipated.
Though specifics are thin, the third party data breach appears to have been caused by Waydev’s engineering teams having access to all of the personal information of Dave users. It is unclear exactly how the hackers gained unauthorized access, but a Dave spokesperson said that the security hole had been closed at this point.
That’s too late for all of Dave’s existing users. The full amount of stolen data was leaked to hacking forum RAID, and made freely available for download to anyone who has accumulated enough “forum credits” to access it. The data dump was perpetrated by a group called ShinyHunters, which has been behind the breach and sale of data from numerous companies in the past year including dating app Zoosk and printing service Chatbooks. ShinyHunters generally offers their breached data for sale; it is unclear why they made this potentially lucrative hack of sensitive financial data available for free. There are some indications that it was available for sale on other forums for some weeks prior to this, however, so it is possible that ShinyHunters simply bought access to the data from a competitor and then released it to undercut them.
While it is unlikely that the encrypted social security numbers will be cracked, it appears that at least some of the Dave passwords may have already been exposed. Hackers on underground forums have been boasting of cracking at least a portion of the stolen credentials. The user passwords are hashed with bcrypt; though it is a longtime industry standard that is generally seen as being secure, it should be assumed that threat actors will eventually decrypt all of these passwords given that they are now freely available to anyone with an internet connection.
SecurityWeek reports that the third party data breach stems from an early July compromise of Waydev’s GitHub app. The attackers may have also accessed Waydev’s source code. There are indications that other Waydev partners, such as testing platform Tricentis Flood, have experienced breaches of customer personal information.
Yet more third party problems
Third party data breaches continue to be a significant cybersecurity issue in spite of numerous high-profile examples demonstrating that they are a strong focus for threat actors. While organizations cannot control the security of what are often hundreds of business partners that handle customer information, CEO of Gurucul Saryu Nayyar notes that there are still numerous proactive measures that can be taken: “The challenge is gaining visibility into 3rd party environments or applications that can access your own systems. It’s very difficult to hold outside vendors to your organization’s security requirements. You often have little recourse but to require it in writing, and hope they hold up their end of the bargain. There are things an organization can do on their own side though. Monitoring the connections and what traffic is moving across them can identify inappropriate behavior, and applying advanced security analytics can pinpoint malicious activities before they can escalate to a major breach.”
Brenda Ferraro, Former Aetna Meritain CISO and VP of Third-Party Risk at Prevalent, continued on the theme of security controls and careful drafting of agreements to prevent (or at least mitigate the damage of) a third party data breach: “There are both proactive and reactive methods organizations can employ to mitigate the impact of such exposures, with the proactive measures costing much less in business-impacting recovery costs and lost revenue and trust than the reactive methods. Proactively, organizations’ third-party risk management programs should feature rigorous offboarding processes for partners they no longer do business with. One part of the offboarding plan should include customizable surveys and workflows that streamline information gathering regarding system access, data destruction, final payments and more for assurance that required contractual network and data security obligations are met. Reactively, there are solutions available that monitor criminal forums, dark web special access forums, threat feeds, hacker chatter and paste sites for leaked credentials that can spot activity sometimes even before the organization knows they’ve been breached. Seeing this activity and correlating it with a third-party’s response to their internal control and security assessment is a key point of validation to close the loop.”