Hackathon "Hack of banking applications"

development Nov 19, 2019
blog post image

The working week had just flown by and so the long-awaited Saturday 21/09/2019 finally arrived. We were looking forward to it because a hackathon was scheduled for this date. Hackathons are often organized at ITOMYCH STUDIO, but this one stood in stark contrast to the previous. “Hack of banking applications” - was the topic that was chosen for this hackathon.

It is relevant for our team because fintech development is the main line of our work.

From our own experience, we know that the process of banking application development is intensive and complicated. The responsibility for the security of user data lies with each participant in the development process. It all starts with a creative product-owner who is responsible for the business and functional requirements of the application. UI/UX designers implement the requirements of the product design. Then the architects define the basic structure of the system. Additionally, they must consider not only functional but also non-functional requirements. Developers bring the app to life and a careful QA-team makes sure that everything is implemented according to plan and without bugs. Each member of this development chain needs to understand how the application can be potentially hacked.

A week ago, ITOMYCH STUDIO Founder Igor Tomych gave a lecture about the basics of security: “System penetration for fun and profit” to make the hackathon as useful as possible. This allowed the participants of the hackathon to improve their knowledge of the application’s security. Also, during the lecture, we discussed the concept of future hackathon.

At the beginning of the event, all participants banded together at ITOMYCH STUDIO’s office. They were given tasks and discussed the purpose of the hackathon. The organizers chose the hackathon task based on information about the most common hacking attacks:

  • obtaining unauthorized access to the data;
  • obtaining unauthorized actions with bank accounts and cards.

Of course, these are not all existing attacks, but these are the ones we would like to test. As a result of the joint discussion, 10 study areas were selected. These include working with JWT, callbacks, SQL injection, checking keys in the application etc. Particular attention was paid to the analysis of the peculiarities of working with information data received by the mobile application.