Financial services companies, banks, and credit unions integrate with a large number of third-party providers in order to offer attractive products and services to their customers. One of those products is Zelle Pay from Early Warning. Zelle facilitates peer-to-peer payments between individuals by allowing one person to send money to a family member or friend based on their email address or phone number. Simplifying that statement, a user chooses to send $25 dollars to another user's email or phone number which is associated with a bank account or debit card.
In a recent assessment, Security PS identified a critical vulnerability that allowed one user to take over another user's Zelle account and intercept their payments. The attack does not require any interaction with the victim and is not related to current social engineering attacks in which attackers try and trick victims into disclosing their six digit PINs. The specific details about how that attack is possible is not publicly available, but it was specific to that company's implementation and not a flaw in the Zelle platform itself. However, its impact would be felt by ALL Zelle users no matter which financial institution that user belonged to. An attacker could take over any Zelle account regardless of whether they used that company's Zelle implementation.
After identifying the vulnerability, Security PS immediately notified the company, consulted on the root cause and suggested several possible remediation strategies. Next, the company deployed a fix in less than one day closing that gap, protecting users' accounts from compromise.
The example above was the most serious but not the only vulnerability identified in that company's Zelle implementation. Each financial institution or financial services company is responsible for their own implementation, and each implementation may have its own unique set of vulnerabilities. In fact, Zelle delegates critical security controls to its integrators rather than providing them natively in their platform. Therefore, it's imperative that each integrator considers all the workflows, scenarios, and threats and engages an application security expert to do a thorough assessment to identify potential weakness. Assessments should consider attacks that:
- Take over other users' accounts
- Forge payments or requests for money between users
- Allow users to approve their own or other users' requests for money
- And more...