N26, a smartphone-only bank in Germany which mocked traditional banks for their outdated approach, may not be the safest bet after all as a researcher has found that its app is vulnerable to hacking.
At the Chaos Communications Congress in Hamburg, Vincent Haupert, a research fellow in computer science from the University of Erlangen-Nuernberg showed how the bank's app could expose user data and allow hackers to hijack accounts.
"They say you can open a bank account in just eight minutes," Haupert told Reuters. "As it turns out, you can lose it even faster.
Haupert and two of his colleagues compared data from the infamous Dropbox leak where 68 million account credentials were publicly released, which included information on N26 users.
Haupert was able to request from the company's own software feed to identify nearly 33,000 N26 user credentials. Anti-fraud systems, which the company claims are of top-level, could not detect the breach.
In a real life situation, if a hacker got hold of such information it would be very easy to send a phishing email to these N26 customers and potentially break into their accounts.
N26 was made aware of the loop hole and thanked Haupert for his analysis and said it was more of a theoretical security vulnerability. Since being alerted, it has made customer accounts more secure by reducing and encrypting data transfers, blocking brute-force attacks, and fixing voice-recognition security weaknesses in its app.
The Berlin-based fintech company previously known as Number26, expanded rapidly since its launch in early 2015 as a smartphone-only bank with no local physical branches. It has the backing of major global investors including Silicon Valley's Peter Thiel and has over 200,000 customers across 17 European countries.