| Recurring |
one_organization, multiple_organization |
(a) The software failure incident of hacking banking apps using reverse engineering has happened again at Arxan Technologies. The mobile security expert, Winston Bond, who demonstrated how banking apps can be hacked using reverse engineering, is the technical manager at Arxan Technologies [26521].
(b) The software failure incident of hacking banking apps using reverse engineering has also happened at other organizations or with their products and services. The article mentions that hackers attacked 78% of the top 100 paid Android and iOS apps last year, indicating that similar incidents have occurred with various apps across different organizations [26521]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident in the article is related to the design phase. The incident occurred due to the vulnerability introduced in the banking app during its development process. The security expert demonstrated how the app could be hacked by reverse engineering it and connecting it to an external server, allowing the hacker to obtain the user's password and transfer money to their account [26521].
(b) The software failure incident is also related to the operation phase. Users downloading a separate, malicious app were targeted in the attack. The attack only works when a user downloads this malicious app, indicating that the operation or misuse of the system by users played a role in the failure [26521]. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident described in the articles is primarily within the system. The failure occurred due to the vulnerability of the banking app itself, which allowed hackers to exploit the app using reverse engineering techniques. The security expert demonstrated how the app could be hacked by connecting it to an external server controlled by the hacker, revealing passwords and enabling unauthorized transfers of money [26521]. The incident highlights the importance of securing the app's code and preventing reverse engineering attacks from within the system. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident occurring due to non-human actions:
The software failure incident in the article is related to a security vulnerability in banking apps that can be exploited through reverse engineering techniques. This vulnerability allows hackers to connect the app to an external server and manipulate the code to reveal passwords, piggyback on payments, and transfer money to the hacker's account without the need for the user's login details. The process of reverse engineering involves translating the app's binary code back into the source code, which reveals how the app works and allows hackers to make changes to the code to carry out malicious activities [26521].
(b) The software failure incident occurring due to human actions:
The software failure incident in the article is primarily due to human actions, specifically the actions of hackers exploiting security vulnerabilities in banking apps through reverse engineering techniques. The mobile security expert demonstrated how hackers can manipulate the source code of apps to connect them to external servers, reveal passwords, and carry out unauthorized transactions. Additionally, the article mentions that the attack only works when a user downloads a separate, malicious app, indicating that user actions in downloading potentially harmful apps contribute to the vulnerability exploitation [26521]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident occurring due to hardware:
- The article does not mention any software failure incident occurring due to contributing factors originating in hardware. Therefore, there is no information available regarding a software failure incident related to hardware in the provided article.
(b) The software failure incident occurring due to software:
- The software failure incident discussed in the article is related to software vulnerabilities that can be exploited by hackers through reverse engineering techniques. The incident involves manipulating the source code of a banking app to connect to an external server controlled by a hacker, allowing for unauthorized access to user passwords and unauthorized transfers of money [26521]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident described in the articles is malicious in nature. The incident involves a security expert demonstrating how a banking app can be hacked using reverse engineering techniques. The expert built a dummy app and connected it to an external server that could be run by a hacker. During the demonstration, the server was able to obtain the user's password and transfer money to the hacker's account without the user's knowledge or consent. This malicious activity was carried out to highlight the risks associated with the security vulnerabilities in banking apps [26521]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) poor_decisions: The software failure incident in the article was primarily due to poor decisions made in the design and implementation of the banking app's security measures. The security expert demonstrated how the app could be hacked using reverse engineering, highlighting vulnerabilities that allowed the hacker to obtain user passwords and transfer money to their account [26521]. The lack of robust security measures and the potential for unauthorized access to sensitive information indicate poor decisions in the app's development process. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident in the article can be attributed to development incompetence. The incident occurred due to the lack of professional competence in securing the banking app against reverse engineering and hacking techniques. The security expert demonstrated how the app could be hacked using free internet tools and reverse engineering methods, highlighting the vulnerabilities present in the app's design and implementation [26521].
(b) The software failure incident can also be considered accidental to some extent. While the hacking demonstration was intentional to showcase the vulnerabilities in the app, the actual exploitation of these vulnerabilities by hackers in the real world could happen accidentally if users unknowingly download malicious apps that exploit these security flaws. The accidental aspect comes into play when users inadvertently expose themselves to risks by downloading compromised apps without realizing the potential consequences [26521]. |
| Duration |
temporary |
The software failure incident described in the articles is more aligned with a temporary failure rather than a permanent one. This is because the incident was demonstrated as a proof of concept by a mobile security expert who developed a dummy banking app and engineered it to connect to an external server to showcase how hacking can occur through reverse engineering techniques [26521]. The incident was not a result of inherent flaws in all circumstances but rather due to specific actions taken by the expert to demonstrate the vulnerability of banking apps to hacking. |
| Behaviour |
value, other |
(a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. The incident is more related to security vulnerabilities in banking apps that can be exploited by hackers through reverse engineering [26521].
(b) omission: The incident does not involve the system omitting to perform its intended functions at an instance(s). Instead, it focuses on how hackers can manipulate the source code of banking apps to obtain sensitive information and carry out unauthorized transactions [26521].
(c) timing: The incident is not related to the system performing its intended functions correctly but too late or too early. It is more about the security flaws in banking apps that allow hackers to intercept user data and manipulate transactions in real-time [26521].
(d) value: The software failure incident is primarily about the system performing its intended functions incorrectly due to security vulnerabilities that can be exploited by hackers. This leads to unauthorized access to user data and fraudulent transactions [26521].
(e) byzantine: The incident does not involve the system behaving erroneously with inconsistent responses and interactions. It is more focused on the specific method of reverse engineering used by hackers to exploit vulnerabilities in banking apps [26521].
(f) other: The behavior of the software failure incident can be categorized as a security breach due to the exploitation of vulnerabilities in banking apps through reverse engineering techniques. This unauthorized access and manipulation of user data and transactions highlight the critical importance of ensuring the security of financial applications [26521]. |