Mobile Banking Apps For iOS Woefully Insecure 139
msm1267 writes "Mobile banking applications fall short on their use of encryption, validation of digital certificates and two-factor authentication, putting financial transactions at risk worldwide. An examination of 40 iOS mobile banking apps from 60 leading banks worldwide revealed a slew of security shortcomings that also included hard-coded development credentials discovered during a static analysis of app binaries. It's a mess, and to date, most of the banks have been informed and none have provided feedback indicating the vulnerabilities were patched."
feedback (Score:5, Insightful)
How long do you think it'll take them to come back with feedback? They'll need to work out whose fault it was, who they can blame, what they're going to do about it, the impact of blaming the people whose fault it wasn't, and all the time looking good to upper management. Lessons will be learnt, and this will definitely not happen again, just like always.
Re: (Score:1)
They'll need to work out whose fault it was
duh! it's apple's fault
Re: (Score:2, Interesting)
Most of these banks are contracting mobile development out.
I would bet that 80% of these 60 banks are buying the same moderately customized app(s) from the same vendors.
I would also suspect there will be similar flaw with the android versions.
Given that most banks don't have any in-house mobile development, they are probably all descending on
the few vendors that wrote and customized these apps, an they will all get fixed about the same time.
Re:feedback (Score:5, Interesting)
Re: (Score:1)
I have at numerous times been subject to deliberately crafted malware that often delays its mischief until I leave the site which gave it to me and shows up later. Some of it has been so robust that it survives reboots ( the "S.M.A.R.T. HDD virus was the last one I had that did this ) and required going back to a re
Re: (Score:2)
Re: (Score:3)
Re: (Score:1)
You do run on a bit, but the point(s) are well taken. When I was in China I had a chance to hook up with one of the largest banks through their "internet banking."
First, it required IE6. Yes, required, nothing else would work
Second, it required pop-ups because your user name and password had to be input in a pop-up
Third, if you tried to use something like Firefox you would get a notification that the certificate was invalid and had been revoked
So, I went to talk to them about it. Shocked, they were. Incapab
You Must Be Crazy ... (Score:5, Interesting)
Re:You Must Be Crazy ... (Score:4, Interesting)
Re:You Must Be Crazy ... (Score:5, Interesting)
Who's writing keylogging malware for CentOS?
Re: (Score:2)
My kingdom for some mod points!
Re:You Must Be Crazy ... (Score:4, Informative)
No need to, it's built into the OS. It even has a nice cli to handle starting, stopping and logging. ttysnoop.
However, getting sufficient permissions is the hard bit, especially for a remote attacker.
It's in the repo (Score:2, Funny)
Try "yum install logkeys"
Re: (Score:3)
Who's writing keylogging malware for CentOS?
That's just what the NSA wants you to think.
Re:You Must Be Crazy ... (Score:4, Insightful)
The government already has access to my bank account. They don't need to break into my computer to get it.
.
(Not discounting they might have broken into my computer for some other reasons).
Re: (Score:2)
The government already has access to my bank account. They don't need to break into my computer to get it.
They'd be interested in your password though.
Either in case you re-use it elsewhere or to help them guess the type of passwords you'd use for other accounts.
Re: (Score:3)
The government already has access to my bank account. They don't need to break into my computer to get it.
They'd be interested in your password though.
Either in case you re-use it elsewhere or to help them guess the type of passwords you'd use for other accounts.
Why would they need a password? Judging from what we have learned about NSA standard practice all they have to do is show up at your bank, twist some arms, drop the words "We're post 911 here, are you telling us you are refusing to contribute to national security?" and your bank will set up a dedicated back-door that allows them to access any data they want.
Re: (Score:1)
The government already has access to my bank account. They don't need to break into my computer to get it.
They'd be interested in your password though. Either in case you re-use it elsewhere or to help them guess the type of passwords you'd use for other accounts.
I don't know if this should be +1 paranoid, or +1 insightful.
Re: (Score:1)
You're not safe. Linux servers get hacked all the time, and your home computer is probably not nearly as battle hardened as a professionally maintained server. So sit down and shut the fuck up.
Re: (Score:3)
Who's writing keylogging malware for CentOS?
Oh, I know this one! What is the NSA, Alex?
Re: (Score:2)
I'd argue that on a non-jailbroken iOS device you might be more secure than on your home computer and wired LAN. Your home computer is far more likely to be infected with keylogging malware or similar.
You's argue that, but according to this article you's be dead wrong.
Really, how many people do you have running through your house that you need to worry about a key-logger?
Re: (Score:2)
Let's compare apples to apples; if you access your bank using a non-jailbroken iOS device using Safari, that's going to be a lot more secure than any desktop browser.
Perhaps if by "desktop browser" you mean old versions of windows, you might be right.
My browsers run in a sandbox, and I also only access my bank from Linux.
Re: (Score:2)
Let's compare apples to apples; if you access your bank using a non-jailbroken iOS device using Safari, that's going to be a lot more secure than any desktop browser.
Only if you're literally comparing (mobile) Apples(tm) to (desktop) Apples(tm).
Unlike OSX, iOS, and Safari, recent versions of Windows (when used with recent versions of IE to access web sites with recent SSL3/TLS implementations) successfully mitigate BEAST attacks, and can safely use CBC cipher suites. Apple hasn't bothered, so Safari is stuck with RC4.
Re: (Score:1)
Re: (Score:1)
You say 'disconnected from all internet' but as Inigo said, I don't think it means what you think it means. How about 'all other internet'?
Re: (Score:3)
Woosh...
Re: (Score:3)
Re: (Score:2)
The idea that jailbreaking makes a device less secure seems rather silly. The vulnerabilities are there, either way. It comes down to what you, the user, do with the device - and that's true regardless of its jailbroken status.
Also, the argument from the article that not detecting jailbroken devices is bad is also silly - it's not like that's particularly hard to circumvent. All it would accomplish is to inconvenience legitimate customers.
Re: (Score:2)
Re: (Score:2)
That is exactly what I do. If there is no money to steal, the bad guys cannot get it. Only twice in 2013 was there more than $100 in the account that I use online. Most of the time, there is only about $10 in that account. I put money in when I intend to spend it, I spend it, and the account is nearly empty again. No hacker anywhere has had an opportunity to steal $5,000 from that account.
If Mom keeps a cookie jar on the counter, and only ever puts two cookies at a time in it, then you can't steal more
Relying on internal 'talent' (Score:1)
Banks are normally quite process oriented, so in this case I imagine the problem is that the technology is too new for the banks to have a good enough process to cope with the changes and the banks are very rigid about their process where it comes to allowing in new specialist vendors. I am dealing with this on daily basis, for a small company dealing with banks is extremely difficult. I am not even blaming anybody, it's the management necks that are on the line and more often than not, management is not
Re:Relying on internal 'talent' (Score:5, Insightful)
The other things they mention, assorted attacks or failures to mitigate against an attacker with priviledged access to the system, aren't good; but they are both less dangerous (at least to people running stock iOS) and more novel and platform-specific. The first class of bugs, though, should have been solved a decade or more ago when they started dabbling in this 'web' stuff.
Re: (Score:1)
It is surprising if you don't look at the way banks implement processes, what this tells me is that to the banks this technology is so cutting edge, they have no idea how to deal with it at all, so they are just throwing a bunch of stuff together without a second though really, until there is a disaster.
It IS surprising that nobody in a team raises these questions though, what exactly does it mean? It may mean that the vendors that the banks do have, are mobile app vendors and are not at all qualified to wo
Seriously, guys? (Score:4, Insightful)
Re: (Score:1)
These banks probably just did the thing all corporations do when they want results but offload all risk in getting those results: contract the work out.
Now they can just feign ignorance, disclaim liability, and move on because they have a contract when another entity that says everything is fine! It's like magic.
Re: (Score:1)
So, are these banks' websites just as bad, or did they actually manage to re-implement something worse than just wrapping their site in a suitable stylesheet and calling that 'an app'? If the latter, how do they look themselves in the mirror every morning?
Web group is probably internal while the iOS dev was probably shopped out to Rent-a-Coder, so the web app is probably safe. I should say that RaC was used as a generic example. Folks have gotten good work out of them. But do notice the number of times I used "probably".
these guys pushed the 4 digit pin (Score:5, Funny)
The banking people made the glory of the 4 digit decimal PIN authentication a universal standard.
I am sure they know all about very secure systems and the public domain.
Re: these guys pushed the 4 digit pin (Score:3)
That's why my pin is 9999!
Re: (Score:2)
I thought the 4-digit pin was designed strictly for use with a physical key, i.e. my bank card
Sure, it's easy to have a computer brute force the 10000 possible 4 digit strings ... but doing so while standing in front of an ATM might be a little more difficult, and look a bit suspicious, not to mention getting a copy of the physical key and using it before it's owner realized it's missing
Re: (Score:2)
As AC pointed out, the magnetic strip can be copied... Very easily. I know someone who this happened to. Once they have that, they as good as have your pin, which is why your card should never ever leave your line of sight. Copying the key is as fast as swiping the card.
Re: (Score:2)
Here in the UK its practically impossible to use the magnetic strip anymore, ever since we switched over to chip and pin several years ago.
Re: (Score:2)
I also have a chip and pin, but it is interesting to note that most places here in South Africa will fall back to the magnetic strip if the chip doesn't read properly. The magnetic strip should go altogether. It is a horrible technology.
Re: (Score:3)
Re: (Score:2)
Hey, my bank's mobile app has state of the art security - they require a five digit PIN to use their mobile app!
My bank's app... (Score:3)
TD Canada Trust appears to not use case sensitive passwords or allow special characters. Try it with your password using UPPER, lower and MiXEd case.
Re: (Score:2)
Re: (Score:2)
Err, sorry, not specifically the app, their actual site. Case insensitive everywhere.
Authentication is either being done on a mainframe where things tend to be case insensitive or the system has to interface with a mainframe and the lowest common denominator prevails.
Re: (Score:2)
Re: (Score:2)
This right here is a bank that would instantly lose the privilege of holding my money for me.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
We should start a company and get a few million on Kickstarter next week...
Re: (Score:2)
Re: (Score:2)
Oh shit - hold on - Scotiabank too - case insensitive!
Re: (Score:2)
Re: (Score:2)
Every time I see a website that won't allow special characters in passwords, I immediately assume that it's because they're using JavaScript to cover up lack of proper encoding on the way to a SQL database, and I treat the website accordingly, with the appropriate level of distrust. Just saying.
Re: (Score:2)
Re: (Score:1)
Not surprising, though my "bank" uses them for their online portal, it's somewhat robust, multiple factor authentication and such, though I haven't poked to hard, which is to say; at all.
That is shit. (Score:1)
20 years ago I got a C rather than an A in an assignment during my computing systems degree because I failed to fully validate a security in a 'secure' chat program (i did successfully encrypt and purge memory data, including not having page file info readable during unforeseen system power off - but certificate wise I only ensured compliance rather than check integrity iirc) . That was 20 years ago and I'm not a programmer.
Is this a case of young people being shit, managem
Re: (Score:3)
E: (all of the above)
You would be a fool (Score:1)
Mobile platforms do not have the AV protection that a full PC has not to mention the spyware installed by the OEMs disable many settings and shares all your data easily able to get your keystrokes.
I am too paranoid to do so on a phone not to mention Android has weak file system security and processes. It is not a full blown linux kernel you are used too on the desktop
Re: (Score:1)
Really? AV protection is your trump card for using the PC? Rather than preventing system compromise, I'd say your system is compromised by the AV software.
If you think AV protection is of any use whatsoever, you are the fool.
Ahh the lie that gets repeated here so often therefore it must be true.
According to the professionals who certify AV software [av-test.org] I would say a good AV suite protects a PC 98% of all exploits! That does not sound useless to me.
Avast does not degrade performance at all and I would say you are the fool if you run without updates without and do banking. Not me.
Re: (Score:2)
Security is layers. For all our firewalls, ids sensors, seim correlation, and other efforts it was the lowly endpoint security package and it's alerts in it's console that got our attention the last time we had an unannounced pen test.
A/v might not be the sexiest thing in computer security today, it might not even be very effective overall but it's one more shot at detecting and stopping the bad guys and it can be a shout worth taking.
List of Vulnerable Banks / Bank Apps, Please? (Score:4, Insightful)
Which banks, please? Can we please have a list of which banks fail basic programming???
Re: (Score:1)
Agreed. This reporting is shotty and not in the best interest of the public.
Re:List of Vulnerable Banks / Bank Apps, Please? (Score:5, Insightful)
While I agree a list would be nice, please don't spread lies that this is "basic" programming. If it were, there wouldn't be so many issues.
Hardening and securing an application against sophisticated attacks (yes, I know not all of the attacks are 'sophisticated') is a non-trivial piece of work requiring expert knowledge and experience in security programming. I doubt you could do it. I doubt most people here could do it. I consider myself an expert software developer and I doubt I could do it.
More to the point, spreading the myth that this is "basic" is exactly the sort of attitude that allows these practices to continue. When Joe Graduate hears how "basic" and "easy" this securing software stuff is, from people like you that have no clue, they go off and do it themselves. It's easy, right? Rather than respecting this field for what it is - highly specialized and difficult work - the exact problem that needs solving is perpetuated by your snarky and uninformed attitude.
So for everybody's sake, just cut the condescending attitude. Thanks.
Re: (Score:2)
When Joe Graduate hears how "basic" and "easy" this securing software stuff is, from people like you that have no clue, they go off and do it themselves
No that is not even close to a major problem. The big problem with software security is that it is usually an afterthought. Poor security does not impeded the normal operation of software, so it is extremely common for management to de-emphasize or even ignore it completely. And then once the software is up and running, retrofitting security into a system is super-expensive so the mindset becomes something like, "why fix a leaky roof if it isn't raining."
So no, the problem is rarely a case of security be
Re: (Score:2)
Yet... For some reason I'll bet the app from my cable company has much better security protecting their content than all of these bank apps put together.
Re: (Score:2)
Which banks, please? Can we please have a list of which banks fail basic programming???
While I agree a list would be nice, please don't spread lies that this is "basic" programming. If it were, there wouldn't be so many issues.
Hardening and securing an application against sophisticated attacks (yes, I know not all of the attacks are 'sophisticated') is a non-trivial piece of work requiring expert knowledge and experience in security programming. I doubt you could do it. I doubt most people here could do it. I consider myself an expert software developer and I doubt I could do it.
More to the point, spreading the myth that this is "basic" is exactly the sort of attitude that allows these practices to continue. When Joe Graduate hears how "basic" and "easy" this securing software stuff is, from people like you that have no clue, they go off and do it themselves. It's easy, right? Rather than respecting this field for what it is - highly specialized and difficult work - the exact problem that needs solving is perpetuated by your snarky and uninformed attitude.
So for everybody's sake, just cut the condescending attitude. Thanks.
Plus let's not make life any easier for thieves than it already is by providing them with a list of targets. The banks who have such crappy apps may deserve being taught a lesson but the customers whose bank accounts end up being raided don't since they can't be expected to have every bank they do business with vetted by a team of security and cryptographic experts.
Re: (Score:2)
They're just little HTML apps with a web wrapper, so of course they need to have a small `config.xml` file or the like stored somewhere that provides MySQL creds.
This isn't Nam, there are rules!
Re: (Score:2)
Sure, it's sloppy, but if, as the summary implies, those development credentials are for a sandbox server (presumably without any real financial or personal info on it), then it isn't nearly as bad as it sounds.
On the other hand, if there are administrative credentials for the production server....
I'm shocked. (Score:2, Funny)
So, which ones? (Score:1)
Maybe it's just me, but the article seems a little light on who they are referring to, aside from a vague reference to the countries of origin. While there's all sorts of legitimate ass-covering reasons not to mention any bank specifically, it makes it useless as a starting point for how we would do anything about it, such as demand improvements of these institutions.
At the least, I hope some private communication to the banks has taken place, though I'd understand if that hasn't happened. Some organization
The recommendations in TFA (Score:1)
I agree with all of them, except:
- Improve additional checks to detect jailbroken devices
- Obfuscate the assembly code and use anti-debugging tricks to slow the progress of attackers when they try to reverse engineer the binary
These two will be useless, and easily defeated. "Slowing the progress of attackers" is a meaningless statement in this context. Jailbreak detection is easily tricked, or removed from the code by a jailbroken phone.
Aside from that, if you do all of the other things they suggest correctly (as should have been suggested to the programmers in CS 101), you shouldn't need these two.
Re: (Score:2)
Re: (Score:2)
Remind me to never to go camping with you.
Re: (Score:2)
Re: (Score:2)
It's still better to avoid the bear, and not think about your friend getting killed.
That's exactly the GP compaint. They are recommending that a bank outrun the others (by procedures that'll reduce the overall security of the app users, be assured of that), instead of avoiding the bear.
Re: (Score:3)
Re: (Score:2)
And part of my argument is that they are worse than doing nothing.
Real people that can't make the application realy secure also can't do those harder techniques in a way that does not create more security flaws. Also if you are able to use proper security techniques, there's still no evidence that you'll be able to use those techniques correctly (because they are harder). And in the end of the day, those techniques can not add any real security.
Yes, but (Score:1)
Fe Fi Fo Fum (Score:2)
What's Their Purpose? (Score:3)
Re: (Score:2)
There are some extra features such as depositing a check which involves plugging into the camera to take a picture of the front and back of said check.
Re: (Score:2)
"why someone needs a separate app to do their banking? "
My bank (in Netherlands) requires a chip card and card reader for logging in and transactions (challenge/response system). That would be a pain to use with mobile banking; instead, they store the credentials in the phone, locked with a separate PIN and tied to the phone.
There are various security measures to reduce the chance of fraud, such as autologout upon switching to a different app (royal PITA if you need to copy/paste the account number, by the
That's terrible (Score:2)
That's terrible: mobile banking apps for iOS are woefully insecure, yet you folks are making fun of them. Poor little things, you're gonna make 'em cry. Is that really what you want? Can't you just leave 'em alone, you big bullies...?
Considering banks are shedding employees (Score:1)
Considering that banks are shedding employees like mad and only hiring temps, why is this surprising?
Will someone please stop the anti-jailbreaking BS? (Score:2)
The shit some alleged jour^h^h^h^h resear^h^h^h^h^h^h overpriced snake-oil salesmen and consultants keep spreading about the "risks" of allowing banking apps to run on jailbroken devices is getting old.
It's wrong, it's a lie, AND it's actively-harmful to the ultimate goal of banking security (fraud-prevention and losses).
There are exactly two things that would happen almost immediately if any major bank in the US with millions of customers tried to prevent customers from running its consumer banking app on
Re: (Score:2)
I'm sorry but you clearly have no idea what you're talking about. I'm going to talk about iOS jailbreak because that's what's interesting, Android devices are inherently less secure than iOS out of the gate so the conversation there is different.
The jailbreak defeats two primary security measures - the barriers protecting one app from another and the signature checking on the binary to confirm it hasn't been tampered with. If you are running on a jailbroken device it's trivially easy to hook the binary and
Re: (Score:2)
Re: (Score:2)
Not just the apps, other apps (Score:1)
I learned this lesson the hard way, back a couple revisions with the iPhone. I downloaded Paypal and logged in once, logged out. The very next day, someone stole a couple hundred $$. Clearly, one of the apps I had on the phone had a clever keylogger or other monitoring scheme that was running. Apple did everything to divest themselves of any liability or interest. So we have to be concerned about other apps' behavior and have "failth" (in the case of Apple) in the ability of organizations to pro