×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mobile Banking Apps For iOS Woefully Insecure

Soulskill posted about 3 months ago | from the raise-your-hand-if-you're-surprised dept.

Security 139

msm1267 writes "Mobile banking applications fall short on their use of encryption, validation of digital certificates and two-factor authentication, putting financial transactions at risk worldwide. An examination of 40 iOS mobile banking apps from 60 leading banks worldwide revealed a slew of security shortcomings that also included hard-coded development credentials discovered during a static analysis of app binaries. It's a mess, and to date, most of the banks have been informed and none have provided feedback indicating the vulnerabilities were patched."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

139 comments

feedback (5, Insightful)

Threni (635302) | about 3 months ago | (#45922185)

How long do you think it'll take them to come back with feedback? They'll need to work out whose fault it was, who they can blame, what they're going to do about it, the impact of blaming the people whose fault it wasn't, and all the time looking good to upper management. Lessons will be learnt, and this will definitely not happen again, just like always.

Re:feedback (1)

Anonymous Coward | about 3 months ago | (#45922441)

They'll need to work out whose fault it was

duh! it's apple's fault

Re:feedback (1, Interesting)

icebike (68054) | about 3 months ago | (#45923337)

Most of these banks are contracting mobile development out.

I would bet that 80% of these 60 banks are buying the same moderately customized app(s) from the same vendors.
I would also suspect there will be similar flaw with the android versions.

Given that most banks don't have any in-house mobile development, they are probably all descending on
the few vendors that wrote and customized these apps, an they will all get fixed about the same time.

Re:feedback (5, Interesting)

buddyglass (925859) | about 3 months ago | (#45923863)

I'm responsible for the Android offering of one such vendor. We currently have about 140 small banks running some version of our app. We try to follow most of the security guidelines outlined in this article, but to give our customers added assurance we pay a security company to analyze the most current version of our app (and our back-end services) every six months or so. Not the one responsible for this article, though I imagine they're a competitor of the one we use. Was a good read. I forwarded it to my boss and the coworkers responsible for our iOS app.

Re:feedback (1)

Anonymous Coward | about 3 months ago | (#45924191)

On this security issue, I have had several discussions with the financial institutions holding my retirement savings regarding their websites requiring me to enable my pop-ups and javascript.

I have at numerous times been subject to deliberately crafted malware that often delays its mischief until I leave the site which gave it to me and shows up later. Some of it has been so robust that it survives reboots ( the "S.M.A.R.T. HDD virus was the last one I had that did this ) and required going back to a restore point to eradicate it.

I am quite aware of DNS poisoning, the ability to overwrite my URL bar with JavaScript, as well as all sorts of ways of presenting me with all sorts of believable pop-ups which demand reply. What does one do when managing large sums of money and this damned popup comes on and demands information and you suspect it may be bogus? Do you lie to it and possibly foul your account? Do you tell it the truth? Or is it easier in the long run to simply find another financial institution that takes online banking security a bit more seriously?

Problem is I moved my accounts to one who did not require JavaScript at the time I established my accounts, and now they do. I moved the accounts to them precisely because the institution my former employer set up for me insisted I run JavaScript. I have not found another institution that does not insist I run JavaScript. For the time being, being the brokerage has branch offices, I conduct my business personally at the counter instead of through the net, as I have concerns my machine ( albeit Microsoft Security Essentials claims its virus-free ) is infected with something they do not know about, All too many times I have to reboot because something is taking up all my CPU and sure sending/receiving a lot of data onto the net. Closing everything does not recover the system. It often takes a reboot to clear it.

Wireshark lets me know its happening, but due to all the software secrecy, I have no idea what is really going on... is this some security hole or some flash update? I have no way of knowing. I only see the packets. I do not get logs of which files were accessed. So, I lose trust.

I am quite aware of the existence of "botnets" and ways scripting languages can be used to make extremely convincing mimics of a business websites. I always end up having to talk to some highly paid suit-wearing handshake guy who seems to see me as Dale Gribble ( "King of the Hill animated TV series ). These people work themselves high enough up that they seem immune to things like malware, and have grown quite comfortable in simply having people sign away any liabilities with hold harmless talk.

I am of the impression that foreign entities ( not hackers per se, but governmental interests ) are collecting massive databases on botnets and people doing business with financial institutions via internet so that at any given time they can unleash a fury of buy/sell orders using infected machines operating under credentials of their users. Just to create havoc in the markets and a strong distrust of the banking system. This little showdown is going to be quite a surprise for a lot of people counting on retirement accounts.

The problem I face is just how to get a high level banking executive to take me seriously... they seem to think everything can be handled with a phone call to their legal department. As a "little guy", I do not have a lot of other peoples resources at my disposal and I end up taking a lot of personal responsibility for what I do, but who is going to stand up to a multi-millionaire business executive and demand personal accountability?

They get all this one-sided law passed which gives them the right to go after others, while also holding themselves harmless for their own transgressions. The most egregious in my mind being all this software copyright law which makes it illegal to reverse assemble/decompile software, yet holds the same entity harmless should his product have security malfunctions. Why is it drug companies have to reveal exactly what is in their product in order to receive patent protection, but software companies can shroud themselves in secrecy, enjoying the protection of patent? If its not publicly revealed for public scrutiny, why is it not anything more than a "trade secret"? And another thing, why does not the enforcement of the right to forbid others to decompile come with the unmitigated responsibility for malfunctions? We do not let drug companies present us with doses of unknown chemicals and claim it does one thing, then hold them harmless when it is later discovered the drug has some rather nasty side effects.

I feel we are heading for something like the religious priests had on us in the middle ages where the power was given to a few men who wore pointy hats to "excommunicate" any individuals who dared challenge their authority, except in this case, its our machines which will be excommunicated. I wish so much for us to adopt a "public" OS, a simple OS which anyone with an interest in it could completely understand. Linus has done his damndest to make one for us, but as a public, we have dropped the ball because everyone wants someone else to do all the thinking for them.

Re:feedback (1)

buddyglass (925859) | about 3 months ago | (#45924223)

I've banked online for a while now and have never had any sort of JS based attack. Ran XP for a long time and OS X for the past couple years. Firefox on both platforms.

Re:feedback (0)

Anonymous Coward | about 3 months ago | (#45924307)

I have not had a JavaScript attack while banking - yet.

I am just afraid of one.

Same reason I try to steer clear of the "bad area" of town. I may have not been mugged yet, but I see that kind of stuff going on and feel its in my best interest to stay clear of it.

My machine doing stuff that is unknown to me does little to bolster my trust, same with previous experiences with hostile code that I picked up from God-knows-where.

Its not the bank I don't trust. Its my own machine I do not trust.

( same AC you replied to )

Re:feedback (0)

Anonymous Coward | about 3 months ago | (#45923463)

interesting.

You Must Be Crazy ... (4, Interesting)

jasnw (1913892) | about 3 months ago | (#45922225)

... to bank from your cellphone. Call me paranoid and old-fashioned (I admit to being both), but if I do on-line banking at all I do it from my own home computer on a wired LAN. OK, so I can't do all the wild-and-crazy things these mobile banking apps allow, but I also am likely to have my money in my bank in my account at the end of the day and not in a bank account in Siberia somewhere.

Re:You Must Be Crazy ... (4, Interesting)

Anonymous Coward | about 3 months ago | (#45922259)

I'd argue that on a non-jailbroken iOS device you might be more secure than on your home computer and wired LAN. Your home computer is far more likely to be infected with keylogging malware or similar.

Re:You Must Be Crazy ... (5, Interesting)

0123456 (636235) | about 3 months ago | (#45922281)

Who's writing keylogging malware for CentOS?

Re:You Must Be Crazy ... (1)

Nutria (679911) | about 3 months ago | (#45922339)

My kingdom for some mod points!

Re:You Must Be Crazy ... (0)

Anonymous Coward | about 3 months ago | (#45922579)

My kingdom for some mod points!

I accept your offer. What moderation would you like applied to the above post?

Re: You Must Be Crazy ... (0)

Anonymous Coward | about 3 months ago | (#45923425)

You know his kingdom consists of that 1 /. post right?

Re:You Must Be Crazy ... (0)

Anonymous Coward | about 3 months ago | (#45923681)

That's not how it works. You need to make informative or interesting posts to get mod points.

Re:You Must Be Crazy ... (3, Informative)

burne (686114) | about 3 months ago | (#45922393)

No need to, it's built into the OS. It even has a nice cli to handle starting, stopping and logging. ttysnoop.

However, getting sufficient permissions is the hard bit, especially for a remote attacker.

It's in the repo (2, Funny)

Anonymous Coward | about 3 months ago | (#45922419)

Try "yum install logkeys"

Re:You Must Be Crazy ... (0)

Anonymous Coward | about 3 months ago | (#45922625)

Who's writing keylogging malware for CentOS?

Home computer. Not server.

Re:You Must Be Crazy ... (0)

Anonymous Coward | about 3 months ago | (#45922923)

That is my home computer, you insensitive clod!

And my laptop...and the gf's laptop...and my sister's PC...and my Mommy's PC (hi Mom!)...and so on and so on. CentOS is a nice distro that doesn't wang out into left field every six months. Plus I get familiar with "big iron Linux" distro and so I'm better at work.

Re:You Must Be Crazy ... (0)

Anonymous Coward | about 3 months ago | (#45922681)

It's part of the OS, all you need is a bad browser and a bad kernel version and you're into dangerous territory quite quickly.

Re:You Must Be Crazy ... (2)

S.O.B. (136083) | about 3 months ago | (#45923023)

Who's writing keylogging malware for CentOS?

That's just what the NSA wants you to think.

Re:You Must Be Crazy ... (3, Insightful)

icebike (68054) | about 3 months ago | (#45923363)

The government already has access to my bank account. They don't need to break into my computer to get it.
.

(Not discounting they might have broken into my computer for some other reasons).

Re:You Must Be Crazy ... (1)

TubeSteak (669689) | about 3 months ago | (#45923905)

The government already has access to my bank account. They don't need to break into my computer to get it.

They'd be interested in your password though.
Either in case you re-use it elsewhere or to help them guess the type of passwords you'd use for other accounts.

Re:You Must Be Crazy ... (0)

Anonymous Coward | about 3 months ago | (#45924585)

The government already has access to my bank account. They don't need to break into my computer to get it. .

(Not discounting they might have broken into my computer for some other reasons).

They also already have access to your income info. Yet we cannot opt out of reporting taxes to let them calculate basic stuff year after year...the world^Wusa would be better without #taxday disruptions

Re:You Must Be Crazy ... (1)

icebike (68054) | about 3 months ago | (#45923345)

I'd argue that on a non-jailbroken iOS device you might be more secure than on your home computer and wired LAN. Your home computer is far more likely to be infected with keylogging malware or similar.

You's argue that, but according to this article you's be dead wrong.

Really, how many people do you have running through your house that you need to worry about a key-logger?

Re:You Must Be Crazy ... (0)

Anonymous Coward | about 3 months ago | (#45923457)

Keyloggers are usually remotely installed via the use of exploits in the browser and/or plugins. You don't need anyone coming into your house.

Let's compare apples to apples; if you access your bank using a non-jailbroken iOS device using Safari, that's going to be a lot more secure than any desktop browser.

Yes, the article does a good job uncovering bad decisions in app development. But that doesn't change the fact that the attack surface on a PC is a LOT larger.

Re:You Must Be Crazy ... (1)

icebike (68054) | about 3 months ago | (#45923575)

Let's compare apples to apples; if you access your bank using a non-jailbroken iOS device using Safari, that's going to be a lot more secure than any desktop browser.

Perhaps if by "desktop browser" you mean old versions of windows, you might be right.
My browsers run in a sandbox, and I also only access my bank from Linux.

Re:You Must Be Crazy ... (1)

Miamicanes (730264) | about 3 months ago | (#45923787)

Let's compare apples to apples; if you access your bank using a non-jailbroken iOS device using Safari, that's going to be a lot more secure than any desktop browser.

Only if you're literally comparing (mobile) Apples(tm) to (desktop) Apples(tm).

Unlike OSX, iOS, and Safari, recent versions of Windows (when used with recent versions of IE to access web sites with recent SSL3/TLS implementations) successfully mitigate BEAST attacks, and can safely use CBC cipher suites. Apple hasn't bothered, so Safari is stuck with RC4.

Re:You Must Be Crazy ... (1)

mikehilly (653401) | about 3 months ago | (#45923623)

I only do my online banking from a PC that is disconnected from all Internet access! No chance for any key-logger to send back data :)

Re:You Must Be Crazy ... (0)

ediron2 (246908) | about 3 months ago | (#45923729)

You say 'disconnected from all internet' but as Inigo said, I don't think it means what you think it means. How about 'all other internet'?

Re:You Must Be Crazy ... (1)

93 Escort Wagon (326346) | about 3 months ago | (#45924057)

The idea that jailbreaking makes a device less secure seems rather silly. The vulnerabilities are there, either way. It comes down to what you, the user, do with the device - and that's true regardless of its jailbroken status.

Also, the argument from the article that not detecting jailbroken devices is bad is also silly - it's not like that's particularly hard to circumvent. All it would accomplish is to inconvenience legitimate customers.

Re:You Must Be Crazy ... (0)

Anonymous Coward | about 3 months ago | (#45922641)

..or you know, you could just not keep much money on that account and have the bank remove any overdraft facility in place...

Re:You Must Be Crazy ... (1)

Runaway1956 (1322357) | about 3 months ago | (#45923627)

That is exactly what I do. If there is no money to steal, the bad guys cannot get it. Only twice in 2013 was there more than $100 in the account that I use online. Most of the time, there is only about $10 in that account. I put money in when I intend to spend it, I spend it, and the account is nearly empty again. No hacker anywhere has had an opportunity to steal $5,000 from that account.

If Mom keeps a cookie jar on the counter, and only ever puts two cookies at a time in it, then you can't steal more than two cookies at a time.

Re:You Must Be Crazy ... (0)

Anonymous Coward | about 3 months ago | (#45922657)

I call you crazy for having a bank that doesn't guarantee to it's customers the safety of their money through the fault of the bank.

My bank's online and mobile banking agreements put the customer first, if my account is compromised as a result of neglegance on their part - i'm reimbursed for the total damages of my loss.

My creditcard (mastercard), similar features - if my credit card is used by an unauthorised source, and they're notified within 30 days - I can claim up to $1000 in damages to be returned. Mind you, this incurs a fixed surchage (on top of the mastercard surchages) in our country, but lucky me - this is passed onto the business running the transaction, not the customer.

Perhaps I'm just in a country that's tough on banks, and they're forced into this without them 'wanting' to...

Re:You Must Be Crazy ... (0)

Anonymous Coward | about 3 months ago | (#45924247)

I would be hard pressed to say the bank would be negligent, By and large, they seem pretty secure.

I would venture to say that my greatest fear is a botnet client, whose existence to me is unknown, is quietly lurking in my machine, waiting for the day to be woken up by its master, and instructed to wreck mayhem for me at the bequest of its master, using my credentials.

Re:You Must Be Crazy ... (1)

buddyglass (925859) | about 3 months ago | (#45924087)

If I handed you my phone w/ the app loaded and me logged in there's still not much damage you could do. You could transfer money between my accounts. You could deposit checks into my accounts. You could potentially pay my bills if I had payees already configured. (Typically you can't configure new payees via the app.) So you could inconvenience me, but you couldn't take any of my money for yourself or even get my full account number(s) since those are masked prior to being sent to mobile clients. Certainly your poring over my transaction history would be an invasion of privacy, but that's not quite the same as having one's money sent to a bank account in Siberia.

Relying on internal 'talent' (2)

roman_mir (125474) | about 3 months ago | (#45922255)

Banks are normally quite process oriented, so in this case I imagine the problem is that the technology is too new for the banks to have a good enough process to cope with the changes and the banks are very rigid about their process where it comes to allowing in new specialist vendors. I am dealing with this on daily basis, for a small company dealing with banks is extremely difficult. I am not even blaming anybody, it's the management necks that are on the line and more often than not, management is not in the position to make sound judgement calls about the technology side of the business, so going with the known quantities is always easier than taking a risk to go with someone new.

OTOH given the nature of the business, if I were in charge of a bank, in case where dealing with new technologies, I would hire at least two different companies to work out their solutions (pay them, by the way) and then hire an auditor company to check the solution and then based on the better solution keep the better vendor.

Re:Relying on internal 'talent' (4, Insightful)

fuzzyfuzzyfungus (1223518) | about 3 months ago | (#45922409)

What surprises me is that TFA mentioned multiple cases of things like failure to validate SSL certs, use of unencrypted assets rendered by the app in ways that could be spoofed dangerously, and similar stuff that wouldn't have gotten past their web people; but apparently are A-OK because it isn't a web browser, it's an 'app' wrapped around the UIWebView class!

The other things they mention, assorted attacks or failures to mitigate against an attacker with priviledged access to the system, aren't good; but they are both less dangerous (at least to people running stock iOS) and more novel and platform-specific. The first class of bugs, though, should have been solved a decade or more ago when they started dabbling in this 'web' stuff.

Re:Relying on internal 'talent' (1)

roman_mir (125474) | about 3 months ago | (#45923181)

It is surprising if you don't look at the way banks implement processes, what this tells me is that to the banks this technology is so cutting edge, they have no idea how to deal with it at all, so they are just throwing a bunch of stuff together without a second though really, until there is a disaster.

It IS surprising that nobody in a team raises these questions though, what exactly does it mean? It may mean that the vendors that the banks do have, are mobile app vendors and are not at all qualified to work for banks, they have no experience in banking. It also may mean that the phone apps are a very very cheap afterthought, but it may prove disastrous to treat them that way, because really, there is no difference between using a banking web interface (which are normally fairly well protected) and phone apps.

It's a case of lack of process, lack of experience on the part of the developers who are charged with these phone apps, lack of understanding on the part of the banks what is happening, maybe lack of real interest for these apps.

Seriously, guys? (3, Insightful)

fuzzyfuzzyfungus (1223518) | about 3 months ago | (#45922267)

So, are these banks' websites just as bad, or did they actually manage to re-implement something worse than just wrapping their site in a suitable stylesheet and calling that 'an app'? If the latter, how do they look themselves in the mirror every morning?

Re:Seriously, guys? (0)

thoth (7907) | about 3 months ago | (#45922997)

These banks probably just did the thing all corporations do when they want results but offload all risk in getting those results: contract the work out.

Now they can just feign ignorance, disclaim liability, and move on because they have a contract when another entity that says everything is fine! It's like magic.

these guys pushed the 4 digit pin (5, Funny)

RichMan (8097) | about 3 months ago | (#45922283)

The banking people made the glory of the 4 digit decimal PIN authentication a universal standard.
I am sure they know all about very secure systems and the public domain.

Re:these guys pushed the 4 digit pin (0)

Anonymous Coward | about 3 months ago | (#45922485)

I have had a 6-digit pin since 2001.

Re:these guys pushed the 4 digit pin (0)

Anonymous Coward | about 3 months ago | (#45922873)

I'm really glad that your pin is more secure, but there are only a full 1 million possible combinations for your pin. Not exactly much harder to brute force in an offline attack.

Re:these guys pushed the 4 digit pin (1)

jxander (2605655) | about 3 months ago | (#45923203)

I thought the 4-digit pin was designed strictly for use with a physical key, i.e. my bank card

Sure, it's easy to have a computer brute force the 10000 possible 4 digit strings ... but doing so while standing in front of an ATM might be a little more difficult, and look a bit suspicious, not to mention getting a copy of the physical key and using it before it's owner realized it's missing

Re:these guys pushed the 4 digit pin (0)

Anonymous Coward | about 3 months ago | (#45923255)

your physical key has a magnetic strip that can be copied.

Suddenly the physical key is a lot more virtual...

Re:these guys pushed the 4 digit pin (1)

inasity_rules (1110095) | about 3 months ago | (#45924587)

As AC pointed out, the magnetic strip can be copied... Very easily. I know someone who this happened to. Once they have that, they as good as have your pin, which is why your card should never ever leave your line of sight. Copying the key is as fast as swiping the card.

Mobile Banking Apps Woefully Insecure (0)

Anonymous Coward | about 3 months ago | (#45922285)

Fixed that for you.

My bank's app... (2)

grub (11606) | about 3 months ago | (#45922289)


TD Canada Trust appears to not use case sensitive passwords or allow special characters. Try it with your password using UPPER, lower and MiXEd case.

Re:My bank's app... (1)

grub (11606) | about 3 months ago | (#45922303)

Err, sorry, not specifically the app, their actual site. Case insensitive everywhere.

Re:My bank's app... (1)

Fnord666 (889225) | about 3 months ago | (#45922677)

Err, sorry, not specifically the app, their actual site. Case insensitive everywhere.

Authentication is either being done on a mainframe where things tend to be case insensitive or the system has to interface with a mainframe and the lowest common denominator prevails.

Re:My bank's app... (1)

grub (11606) | about 3 months ago | (#45923065)

Yeah I know, but it is 2014. Surely even a conservative business like a bank could use case sensitivity. They don't even allow special characters and have a limited size (8 chars iirc)

Re:My bank's app... (1)

jxander (2605655) | about 3 months ago | (#45923215)

This right here is a bank that would instantly lose the privilege of holding my money for me.

Re:My bank's app... (1)

iONiUM (530420) | about 3 months ago | (#45923029)

Well I'll be damned.. you're right! Fuck TD. I've always hated them. I tried CIBC but it is indeed case sensitive. Good find.

Re:My bank's app... (1)

iONiUM (530420) | about 3 months ago | (#45923061)

As an additional note, the fact that it auths with non case sensitive pw means that they aren't hashing the passwords either......... it's either plain text or encrypted.... god forbid someone runs a brute force attack, because it's going to be pretty damn easy.

Re:My bank's app... (1)

grub (11606) | about 3 months ago | (#45923075)

Holy smokes, I never thought of that. Good catch!
We should start a company and get a few million on Kickstarter next week... ;)

Re:My bank's app... (1)

immaterial (1520413) | about 3 months ago | (#45923245)

Or they normalize your password to lowercase/uppercase before testing against the hash, which they created the same way.

Re:My bank's app... (1)

rueger (210566) | about 3 months ago | (#45923257)

Whew! I'm glad I'm with Scotiabank, who just this month is forcing everyone to answer a bunch of "Mother's Maiden Name" type "security" questions.....

Oh shit - hold on - Scotiabank too - case insensitive!

Re:My bank's app... (1)

rueger (210566) | about 3 months ago | (#45923271)

Passwords are not case sensitive and can't include special characters (e.g., #, %, etc.). Passwords must be 8-16 characters long and contain at least one number and letter. - be 8 to 16 characters long - use at least one number and one letter - not include spaces or special characters (e.g., #, %, etc.)

Re:My bank's app... (1)

dgatwood (11270) | about 3 months ago | (#45924127)

Every time I see a website that won't allow special characters in passwords, I immediately assume that it's because they're using JavaScript to cover up lack of proper encoding on the way to a SQL database, and I treat the website accordingly, with the appropriate level of distrust. Just saying.

Fiserv is to blame (0)

Anonymous Coward | about 3 months ago | (#45922297)

I suggest that everyone look in to a terrible company called Fiserv [fiserv.com]. Their terrible products have brought the financial institution for which I work to its knees a number of times. Like the time when their mobile app update was so poorly tested that it hosed a relatively new, Enterprise Class System z mainframe with piles of unnecessary host calls.

Re:Fiserv is to blame (1)

raind (174356) | about 3 months ago | (#45922545)

Not surprising, though my "bank" uses them for their online portal, it's somewhat robust, multiple factor authentication and such, though I haven't poked to hard, which is to say; at all.

That is shit. (1)

zacherynuk (2782105) | about 3 months ago | (#45922305)

But not surprising. Sadly.

20 years ago I got a C rather than an A in an assignment during my computing systems degree because I failed to fully validate a security in a 'secure' chat program (i did successfully encrypt and purge memory data, including not having page file info readable during unforeseen system power off - but certificate wise I only ensured compliance rather than check integrity iirc) . That was 20 years ago and I'm not a programmer.

Is this a case of young people being shit, management being shit, HR being shit or the industry as a whole now being shit ?

Re:That is shit. (2)

spatley (191233) | about 3 months ago | (#45922383)

E: (all of the above)

Yep (0)

Anonymous Coward | about 3 months ago | (#45922515)

It is all of the above.

Technology may be created by geniuses, but implemented by fools.

You would be a fool (0)

Billly Gates (198444) | about 3 months ago | (#45922335)

Mobile platforms do not have the AV protection that a full PC has not to mention the spyware installed by the OEMs disable many settings and shares all your data easily able to get your keystrokes.

I am too paranoid to do so on a phone not to mention Android has weak file system security and processes. It is not a full blown linux kernel you are used too on the desktop

Re:You would be a fool (0)

Anonymous Coward | about 3 months ago | (#45922399)

Really? AV protection is your trump card for using the PC? Rather than preventing system compromise, I'd say your system is compromised by the AV software.

If you think AV protection is of any use whatsoever, you are the fool.

Re:You would be a fool (0)

Billly Gates (198444) | about 3 months ago | (#45922415)

Really? AV protection is your trump card for using the PC? Rather than preventing system compromise, I'd say your system is compromised by the AV software.

If you think AV protection is of any use whatsoever, you are the fool.

Ahh the lie that gets repeated here so often therefore it must be true.

According to the professionals who certify AV software [av-test.org] I would say a good AV suite protects a PC 98% of all exploits! That does not sound useless to me.

Avast does not degrade performance at all and I would say you are the fool if you run without updates without and do banking. Not me.

Re:You would be a fool (1)

DarkOx (621550) | about 3 months ago | (#45922643)

Security is layers. For all our firewalls, ids sensors, seim correlation, and other efforts it was the lowly endpoint security package and it's alerts in it's console that got our attention the last time we had an unannounced pen test.

A/v might not be the sexiest thing in computer security today, it might not even be very effective overall but it's one more shot at detecting and stopping the bad guys and it can be a shout worth taking.

Re:You would be a fool (0)

Anonymous Coward | about 3 months ago | (#45922727)

I don't know the professional group you refer to, so the following should not be taken as a direct criticism against them or as any indication that I have any specific knowledge about them. This is just my opinion.

It seems to me that a group of people whose income and existence depends on the survival of an industry they analyze may be less than partial when analyzing that industry.

Allow me to use a banking analogy - credit rating agencies. These agencies certify financial institutions by analyzing them and providing recommendations. They might make the claim that a AAA rated institution or instrument is immune from 98% of all market downturns!

Yet we know how this works in reality. The fallout from the GFC proved that these rating agencies were on the take, being offered incentives for bumping up the ratings that were issued, and even using higher ratings as a bargaining chip once financial institutions realized they could shop around for a better rating. The issued ratings thus did not reflect the real underlying risk of the instruments. Trusting the issued ratings was a mistake because they were not made in good faith. This, by the way, practically destroyed the world economy, in case you'd forgotten.

I would hope the GFC taught us all to be a little more circumspect when trusting the results of an analysis conducted by the very industry being analyzed. Do you know this group personally? (No.) What reason do you have to trust them? (None.)

Since I don't know them, I can only go by my instincts as to what I feel about the AV industry as a whole. The AV industry is built on fear mongering and borderline extortion. Download our software, pay us $50 a month, or YOUR COMPUTER IS AT SERIOUS RISK OF HARMFUL INFECTION AND EXPLOSION! And now, THE BANKS WILL STEAL ALL YOUR MONIES!

If that's your cup of tea, go for it. I am more than comfortable with my choice.

Don't worry (0)

Anonymous Coward | about 3 months ago | (#45922357)

They authenticate by sending an access code via text message to the phone.

Wait...

List of Vulnerable Banks / Bank Apps, Please? (3, Insightful)

IonOtter (629215) | about 3 months ago | (#45922377)

Which banks, please? Can we please have a list of which banks fail basic programming???

Re:List of Vulnerable Banks / Bank Apps, Please? (1)

Anonymous Coward | about 3 months ago | (#45922471)

Agreed. This reporting is shotty and not in the best interest of the public.

Re:List of Vulnerable Banks / Bank Apps, Please? (5, Insightful)

Anonymous Coward | about 3 months ago | (#45922529)

While I agree a list would be nice, please don't spread lies that this is "basic" programming. If it were, there wouldn't be so many issues.

Hardening and securing an application against sophisticated attacks (yes, I know not all of the attacks are 'sophisticated') is a non-trivial piece of work requiring expert knowledge and experience in security programming. I doubt you could do it. I doubt most people here could do it. I consider myself an expert software developer and I doubt I could do it.

More to the point, spreading the myth that this is "basic" is exactly the sort of attitude that allows these practices to continue. When Joe Graduate hears how "basic" and "easy" this securing software stuff is, from people like you that have no clue, they go off and do it themselves. It's easy, right? Rather than respecting this field for what it is - highly specialized and difficult work - the exact problem that needs solving is perpetuated by your snarky and uninformed attitude.

So for everybody's sake, just cut the condescending attitude. Thanks.

Re:List of Vulnerable Banks / Bank Apps, Please? (0)

Anonymous Coward | about 3 months ago | (#45923039)

I'm sorry, but 30% of the apps they tested HARDCODED credentials, in some cases BANK ADMINISTRATIVE CREDENTIALS - into the app.

That's the most basic fail of all.

Re:List of Vulnerable Banks / Bank Apps, Please? (1)

pspahn (1175617) | about 3 months ago | (#45923325)

They're just little HTML apps with a web wrapper, so of course they need to have a small `config.xml` file or the like stored somewhere that provides MySQL creds.

This isn't Nam, there are rules!

Re:List of Vulnerable Banks / Bank Apps, Please? (1)

dgatwood (11270) | about 3 months ago | (#45924157)

I'm sorry, but 30% of the apps they tested HARDCODED credentials, in some cases BANK ADMINISTRATIVE CREDENTIALS - into the app.

Sure, it's sloppy, but if, as the summary implies, those development credentials are for a sandbox server (presumably without any real financial or personal info on it), then it isn't nearly as bad as it sounds.

On the other hand, if there are administrative credentials for the production server....

Re:List of Vulnerable Banks / Bank Apps, Please? (1)

Jherek Carnelian (831679) | about 3 months ago | (#45923417)

When Joe Graduate hears how "basic" and "easy" this securing software stuff is, from people like you that have no clue, they go off and do it themselves

No that is not even close to a major problem. The big problem with software security is that it is usually an afterthought. Poor security does not impeded the normal operation of software, so it is extremely common for management to de-emphasize or even ignore it completely. And then once the software is up and running, retrofitting security into a system is super-expensive so the mindset becomes something like, "why fix a leaky roof if it isn't raining."

So no, the problem is rarely a case of security being deceptively easy, it is a case of bean-counters not assigning enough beans to the effort.

Re:List of Vulnerable Banks / Bank Apps, Please? (1)

EETech1 (1179269) | about 3 months ago | (#45923871)

Yet... For some reason I'll bet the app from my cable company has much better security protecting their content than all of these bank apps put together.

Re:List of Vulnerable Banks / Bank Apps, Please? (0)

Anonymous Coward | about 3 months ago | (#45922959)

I'm not saying that I have checked because I haven't. However this information disclosure may be the best the study authors can do for now. They have to give the banks some reasonable period of time to correct the issues.

Now given "...most of the banks have been informed and none [have] provided feedback...", it seems that that the first timeline has been breached. The reviewers are probably wrestling with what to do next.

This subject is a subset of disclosing bugs in any software, what the responsibilities are, who needs to be informed, what timelines are appropriate, and so forth. It's not as easy as some seem to think. There are moral and ethical issues at work. Nor is it easy, as an outsider, to know what internal issues the banks are dealing with.

I'm glad that someone, presumably with a white hat, is looking. However they have opened Pandora's box and now have to deal with it. Good luck!

I'm shocked. (2, Funny)

Alex Meyer (3424249) | about 3 months ago | (#45922397)

Banks doing something insecure? What's next? The government capturing all internet traffic in the name of stopping terrorism?

So, which ones? (1)

Anonymous Coward | about 3 months ago | (#45922467)

Maybe it's just me, but the article seems a little light on who they are referring to, aside from a vague reference to the countries of origin. While there's all sorts of legitimate ass-covering reasons not to mention any bank specifically, it makes it useless as a starting point for how we would do anything about it, such as demand improvements of these institutions.

At the least, I hope some private communication to the banks has taken place, though I'd understand if that hasn't happened. Some organizations tend to shoot the messenger.

The recommendations in TFA (1)

aviators99 (895782) | about 3 months ago | (#45922505)

I agree with all of them, except:

- Improve additional checks to detect jailbroken devices
- Obfuscate the assembly code and use anti-debugging tricks to slow the progress of attackers when they try to reverse engineer the binary

These two will be useless, and easily defeated. "Slowing the progress of attackers" is a meaningless statement in this context. Jailbreak detection is easily tricked, or removed from the code by a jailbroken phone.

Aside from that, if you do all of the other things they suggest correctly (as should have been suggested to the programmers in CS 101), you shouldn't need these two.

Re:The recommendations in TFA (1)

buddyglass (925859) | about 3 months ago | (#45923915)

If you and your buddy are being chased by a bear you don't have to outrun the bear; you just have to outrun your buddy. Which is to say sometimes it's helpful to make it a sufficiently big PITA for a malicious party to hack your app relative to the effort required to hack someone else's. Someone who really wants to rob me will get past my locked door, but I still lock the doors to my house.

Yes, but (1)

Coditor (2849497) | about 3 months ago | (#45922655)

As an iOS programmer (not at a financial company but we do ecommerce) I would be surprised that the banks did not use Veracode to analyze their binaries. Veracode isn't perfect but even for us it finds a number of these issues. But statically analyzed security issues found by a researcher are not always exploitable in real life. It's very likely that the bank could have security on the API side that would validate anything the client did that would not be visible on a client only analysis. As with Veracode where we get a lot of red herrings, what looks wrong statically might not actual be an issue. Then again I worked at a banking company once before the mobile era and their software truly sucked.

What's Their Purpose? (2)

organgtool (966989) | about 3 months ago | (#45922855)

Can someone please explain to me why someone needs a separate app to do their banking? As a matter of fact, can anyone explain why we need most of the apps that are just poor rewrites of web sites? Why not make a good mobile version of the web site that users can bookmark as icons on their home screen and call it a day?

Re:What's Their Purpose? (1)

Riddler Sensei (979333) | about 3 months ago | (#45923481)

There are some extra features such as depositing a check which involves plugging into the camera to take a picture of the front and back of said check.

That's terrible (1)

TheloniousToady (3343045) | about 3 months ago | (#45922877)

That's terrible: mobile banking apps for iOS are woefully insecure, yet you folks are making fun of them. Poor little things, you're gonna make 'em cry. Is that really what you want? Can't you just leave 'em alone, you big bullies...?

Cost benefit (0)

Anonymous Coward | about 3 months ago | (#45922913)

If may be hard to believe but banks actually estimate losses due to poorly designed software versus say internal frauds and allocate development funds accordingly. Theft, inventory shrinkage, old fashioned embezzlement are commonplace occurrences so it is a mistake to imagine insecure software is the center of banking crimes. While programmers imagine software is the center of the universe, in finance it is the employees who rob the banks blind

Considering banks are shedding employees (1)

WillAffleckUW (858324) | about 3 months ago | (#45922921)

Considering that banks are shedding employees like mad and only hiring temps, why is this surprising?

My favorite is the insecure passwords... (0)

Anonymous Coward | about 3 months ago | (#45922983)

My bank allows alpha numerics only. No special characters.

And I discovered that it disregards case. I can type it with any of the letters capital or lowercase however I want, it accepts it all the same.

Then there was my previous bank. If you wanted to log in to your credit card account from a computer that didn't have the authentication cookie already you were sent to a single page that asked for: Full account number, verification code from the back of the card, expiration date, full social security number, and a few other things I'm forgetting now. I thought for sure I had been forwarded to a hacked page and called them to verify. The person sighed and went "yeah, that's our real page..."

Will someone please stop the anti-jailbreaking BS? (1)

Miamicanes (730264) | about 3 months ago | (#45923267)

The shit some alleged jour^h^h^h^h resear^h^h^h^h^h^h overpriced snake-oil salesmen and consultants keep spreading about the "risks" of allowing banking apps to run on jailbroken devices is getting old.

It's wrong, it's a lie, AND it's actively-harmful to the ultimate goal of banking security (fraud-prevention and losses).

There are exactly two things that would happen almost immediately if any major bank in the US with millions of customers tried to prevent customers from running its consumer banking app on jailbroken/rooted hardware:

1. It'll be treated like copy protection, cracked within days, and released online almost immediately... and 15 minutes later, copies with injected malware will be getting aggressively posted online in ways that will make Google rank them high in the search results.

2. Depending on the size of the bank, there will be one or more open-source reverse-engineered banking apps (probably spoofing a desktop browser and doing screen-scraping if necessary) on Github, Sourceforge, and other sites... until the bank tries to get them taken them down at lawyerpoint, they go underground (or get modularized in ways that make them impossible for lawyers to attack directly), and someone manages to slip a subtle trojan into it somehow, or malware authors start distributing precompiled copies with their own special payloads.

Just wait until some major American bank decides to try blocking their app from jailbroken/rooted devices. When it happens, grab a big bowl 'o popcorn, and watch the fun at XDA & Github.

A banking app running on a jailbroken/rooted device is NO LESS SECURE than the same bank's webapp would be if the same user went to it with the same phone (possibly setting it to spoof a desktop browser).

Any app that genuinely depends upon not being able to install from iTunes/Google Play on jailbroken/rooted hardware for security DESERVES to get pwn3d in the worst and most publicly-humiliating way possible.

Pin the certificates? Sure. The only people who'll notice or care are attackers, and they're going to decompile the program and rip it apart anyway. Obfuscate the code? Sure, have fun. Once again, nobody besides attackers will notice or care.

The moment you try to exclude users with jailbroken/rooted phones, you've instantly broken the app for a small, but very loud & opinion-influencing group of users who aren't the least bit shy about taking matters into their own hands AND have the technical skills to pull it off. If you're a major American bank with tens of millions of customers, the LAST thing you want to do unless you're completely insane is motivate a few thousand of them to become casual weekend hackers so they can check their bank account balance on their phone.

Re:Will someone please stop the anti-jailbreaking (1)

radish (98371) | about 3 months ago | (#45923929)

I'm sorry but you clearly have no idea what you're talking about. I'm going to talk about iOS jailbreak because that's what's interesting, Android devices are inherently less secure than iOS out of the gate so the conversation there is different.

The jailbreak defeats two primary security measures - the barriers protecting one app from another and the signature checking on the binary to confirm it hasn't been tampered with. If you are running on a jailbroken device it's trivially easy to hook the binary and essentially make it do whatever you want, and it's doing so with the credentials of the legitimate user. So as a simple example for a banking app, I could modify the binary to wait for you to login successfully, then email me your credentials and transfer a couple thousand $ to my account. If I can get physical access to your device I can install it in seconds, if not maybe I can persuade you to download it from Cydia. The server side would not know this wasn't legit, and you wouldn't know it was happening and the device wouldn't have any way to prevent it. That entire class of attack is made basically impossible on a stock device - the app is signed by the publisher and if you start tinkering it'll fail to execute.

Now as you mention I could obfuscate the code, that'll slow down someone trying to hook it but it won't stop a determined attacker. I could pin certs, but again if the device is jailbroken I can just replace the certs with my own. For the same reason it's impossible to really secure a general purpose computer that doesn't use something like secure boot it's impossible to guard against attackers if you're app is running on a jailbroken device - you can't trust the underlying OS and you can't even trust your own binary - you're screwed.

The very first thing anyone writing an app which has security concerns needs to do is figure out an effective jailbreak detect. It's not an exact science, and no detection routine will be perfect, but it's the number one most significant defense.

Re:Will someone please stop the anti-jailbreaking (1)

buddyglass (925859) | about 3 months ago | (#45924149)

If you're capable of inserting code to intercept credentials and email them somewhere then why can't you just excise the jail break detection code? Seems like this probably isn't the sort of attack jailbreak detection is designed to prevent. I'm instead imagining a scenario where a user's OS has been modified w/o his or her knowledge in such a way that it snoops on legitimate unmodified apps. Maybe the user bought the device used from "some guy at the car wash". He then proceeds to install his banking app. If the app doesn't detect the jail break and happily runs as normal then the user gets snooped on by the modified OS code. If the app instead detects the jail break and exits immediately then the snoop code never gets the chance to do its thing.

Re:Will someone please stop the anti-jailbreaking (1)

buddyglass (925859) | about 3 months ago | (#45923935)

My employer is considering offering our customers (banks) the option of turning on code in our apps that attempts to detect a jail broken devices and causes the app not to run. Our customers are all small, regional outfits, though; probably not big enough to merit much outrage.

wtf (0)

Anonymous Coward | about 3 months ago | (#45923625)

TFA [ioactive.com] was interesting; the shit-blog that was also linked can eat a dick. Yes, Michael Mimoso sucks cock.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...