VPNOverview’s cybersecurity research team has discovered a breach affecting users of the fintech app Switch. Switch is a payment platform used for splitting expenses within a group. It was designed for the iPhone and created by Grink, Inc (Payclub).
We discovered that transaction logs and personal identification were stored in an insecure manner. We notified Grink, and they closed the breach as swiftly as possible.
Several Thousand Switch Financial Transactions Exposed
We found thousands of transaction logs in an unsecured Amazon Web Services (AWS) S3 bucket. In the logs, we found personally identifiable information (PII) of Switch users.
These logs have details about financial transactions, including names, email addresses, and amounts. We also found documents that appear to be used by Switch to verify its users.
Subsequently, this breach revealed messages between users in the comments field, tied to each user by name. We found that a total of 4,765 Switch users were affected, and 127 verified users had their documents exposed.
Driver’s Licenses of Verified Users Leaked
The documents that Grink accidentally published include driver’s licenses and passports belonging to individuals in the United States.
The leaked images above are samples of high-resolution photos of ID cards that are required by some fintech apps to verify their users. Such sensitive data should always be encrypted if it’s retained at all.
Timeline of the Breach
Our security team has outlined a specific timeline ranging from breach discovery to the closing of the breach by Grink. Our VPNOverview security team notified Grink of the issue, which resulted in them securing the exposed files. The following is a timeline of the process:
|VPNOverview security team discovered Switch users’ private data||January 13th, 2022|
|VPNOverview security team disclosed breach to Grink||January 14th, 2022|
|Grink secured the files||February 5th, 2022|
Note: Grink updated their bucket security 22 days after we notified them of the breach.
Stolen Documents Are a Cybercriminal Favorite
Some forms of PII have more value to cybercriminals than others in identity theft operations. Sensitive documents, like driver’s licenses and passports, can be used to commit fraud.
Statistically, email addresses and account passwords are less valuable to cybercriminals because they do not always provide immediate ROI (Return on Investment) like the former. Albeit, email addresses can be used in many ways to conduct a very common form of social engineering cybercrime known as phishing.
For example, during the peak moments of the pandemic, cybercriminals used compromised driver’s licenses to steal unemployment benefits. These documents can also be used to cash a check, verify a criminal’s identity when boarding a plane, or open bank accounts.
What You Can Do to Protect Your Driver’s License and Your Personal Information
If you have confirmed that your driver’s license was stolen or compromised in this Switch Fintech breach or otherwise, you should always report it to the relevant authorities. It is important to note that different countries deal with online fraud in different ways.
In the United States, for example, you can arrange an identity theft protection with the Federal Trade Commission (FTC), which will alert you of your information appearing for sale on the internet. You can set this up through the FTC’s identity theft portal. You should also check your credit reports and bank statements for signs of fraud and unauthorized transactions.
You could also look into ordering yearly credit reports for free which you can review once a year for signs of another account being opened in your name. It is also possible to freeze your credit files for free with services such as Equifax, TransUnion, Innovis, the National Consumer Telecommunications and Utilities Exchange. Credit freezes prevent cybercriminals from opening credit and utility accounts in your name.
It would also be a good idea to set up account security with your bank to alert you of accounts set up in your name. Multi-factor authentication across your devices will also help by preventing criminals from logging in to your accounts.
Cybercriminals don’t have to directly breach your data to exploit your personal information. Often, it is enough for someone to have a photograph of your personal documents. Over the years, millions of U.S. driver’s licenses have been compromised in breaches or failures to secure a database. This could be the case with Switch, too.
Storing Unencrypted Sensitive Data is Asking for Trouble
There have been plenty of breaches involving Amazon Web Services S3 buckets. Minimizing risk in all possible ways when it comes to personal documents is no laughing matter. Clearly, vendors should not leave electronic data unsecured as cybercriminals can piece together a scheme to target people with bits and pieces of information that they collect over some time.
Our security researcher Aaron Phillips shared the following remarks:
“This is a nightmare scenario for fintech app publishers. Storing personal documents unencrypted is unacceptable, and Switch users deserve better. These documents are some of the most sensitive pieces of PII that could possibly be leaked.”