oBike reviews app security after breach -

oBike reviews app security after breach

Credit: straitstimes.com

  • Dec 07 2017 21:25About: 10 days ago
  • 12 views

Bicycle-sharing operator oBike is reviewing the security of its app following a leak that affected its users’ data in 14 countries.

German broadcaster Bayerischer Rundfunk reported last week that unencrypted user data – names and ride locations, for example – were accessible online.

A spokesman for the Singaporebased firm said yesterday it was made aware of the issue two weeks ago, and worked to resolve it immediately. He added that it affected only a handful of users.

“As (we are) a tech company, users’ data and security are of paramount importance to us,” he said, adding that credit card details and user passwords were not stored in the app and not leaked.

The leak resulted from a gap in the oBike app’s application programming interface (API) that allowed users to refer their friends to the firm’s services.

“We have since fixed the loophole by disabling the API and created additional security layers,” the spokesman said, adding that the systems were now fully restored and secure. “We are relooking the sharing and security functions of the app, to ensure that no further user data is compromised.”

When contacted, the Personal Data Protection Commission said it was aware of the data breach and had reached out to oBike for more details.

oBike rolled out its bicycles in Singapore in January and has since expanded to other cities worldwide, including Melbourne and London.

In response to news of oBike’s data leak, rival bike-sharing firm ofo said it “does not collect, process or access any individual user data or information in (its) work”. Instead, it uses only accumulated rider information for data analysis purposes, it said.

A spokesman for Mobike said it had “robust data management protocols” in place to protect user data, adding that it does not share users’ personal data with third parties without their consent.

The news of oBike’s user data leak comes after it was revealed last month that ride-hailing giant Uber covered up a data breach last year. The breach exposed the personal details of 57 million passengers and drivers worldwide to hackers. The American firm had not informed the authorities about the attack and, instead, paid hackers US$100,000 (S$135,000) to delete the compromised data.

Closer to home, the NRIC numbers of hundreds of Xinmin Secondary School students were leaked online last month.

“The sad reality is that this kind of incident is getting more common,” said Mr David Maciejak, security research director for cyber security provider Fortinet.

He said people should take steps to protect their own data, such as by using a virtual credit card, which provides users with a disposable credit card number.

Akamai Technologies security chief technology officer Michael Smith warned people against reusing passwords across multiple websites and applications.

He suggested the use of password manager applications such as LastPass instead. LastPass creates a private account where users can store encrypted passwords.

Observers said the increasing use of APIs, which let software components communicate, means they are vulnerable to attack.

Though the use of APIs is becoming more important, there is less knowledge and history on how to secure them, said Mr Smith.

“Over the past several years, we’ve seen attackers target APIs more frequently because they are perceived as being less protected than websites that are accessed with a browser,” he added.

Mr Edward Lim, South-east Asia and Greater China senior director for security firm RSA, said there needs to be more stringent testing for APIs. “For example, firms could incorporate vulnerability assessment at every major stage of the API development, instead of only upon completion of the apps.”

Mr Mohan Veloo, Asia-Pacific chief technology officer for network security firm F5 Networks, said APIs should be vetted to ensure that they do not give third parties an unnecessary level of authorisation rights and privileges that could be exploited by hackers.

He described the use of APIs as a double-edged sword for companies. “By using APIs, businesses inadvertently open up a back door to all their data.”



Follow Us on Twitter

December 2017 5:00 AMBicycle-sharing operator oBike reviewing security following leak that affected users’ data countries. 

Related stories with oBike reviews app security after breach

Sifting Through a Life After Suicide -World News
Sifting Through a Life After Suicide 10 days ago
In a documentary, a filmmaker sorts through the items her sister left behind to try to make sense of her life, and her death.
Data of some oBike users leaked online -World News
Data of some oBike users leaked online 10 days ago
December 08, 2017 5:00 AMUsers of oBike shared bicycles may have had their personal information compromised, after a worldwide leak of its user data.
Clashes continue as Israel strikes Gaza militant posts after rockets fired  -World News
Clashes continue as Israel strikes Gaza militant posts after rockets fired 10 days ago
The Israeli military said on Thursday that an aircraft and a tank had targeted two posts belonging to militants in the Gaza Strip after three rockets were launched at Israel.
Officer Who Developed PTSD after Pulse Massacre to Lose Job -World News
Officer Who Developed PTSD after Pulse Massacre to Lose Job 10 days ago
(CNN) — Omar Delgado was one of the first police officers on the scene of the Pulse nightclub attack in Orlando on June 12, 2016. By the time he pushed his way through fleeing survivors to get inside the club, the shooter was holed up in a bathroom.
Two senior executives leave Amazon’s Audible after workplace harassment probe -World News
Two senior executives leave Amazon’s Audible after workplace harassment probe 10 days ago
Entertainment plays a crucial role in Amazon's effort to reach consumers beyond its core business of selling sneakers, electronics and laundry detergent
Drug dealer calls cops after getting bogus bills  -World News
Drug dealer calls cops after getting bogus bills 10 days ago
A near-sighted drug pusher who realized too late he had been scammed with bogus currency while making a deal reported it to police.
Son investigated for murder after clues revealed at father's funeral -World News
Son investigated for murder after clues revealed at father's funeral 10 days ago
Police are investigating the death of a Shaanxi Province father after villagers attending a funeral said they noticed injuries that pointed to his physically-abusive son.
Nigerian state sees country's first 'happiness minister' -World News
Nigerian state sees country's first 'happiness minister' 10 days ago
It has been ranked among the happiest places in the world despite widespread unrest, political crisis and recession. Now one Nigerian state has a minister in charge of contentment.
Wife’s religion does not merge with husband’s after marriage: SC -World News
Wife’s religion does not merge with husband’s after marriage: SC 10 days ago
“[The] Special Marriage Act was enacted so that a man and woman professing different faiths can marry and retain their religious identity after marriage. There is no question of merger of woman’s religion with that of her husband’s. Only she on her
Gujarat polls: High Court stays Election Commission instruction on appointment of polling agents -World News
Gujarat polls: High Court stays Election Commission instruction on appointment of polling agents 10 days ago
The directive was that the polling agents appointed by the should be residents of the area covered under the polling booth concerned or neighbouring booths.
Starbucks' Christmas Tree Frappuccino Sparks Social Media Frenzy -World News
Starbucks' Christmas Tree Frappuccino Sparks Social Media Frenzy 10 days ago
Company's new drink is available in the U.S. and Canada until Dec. 11