Slashdot Mirror
Major Security Holes Found In Mobile Bank Apps
NeverVotedBush writes with this excerpt from CNet:
"A security firm disclosed holes today in mobile apps from Bank of America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a scramble by most of the companies to update the apps. ... Specifically, viaForensics concluded that: the USAA's Android app stored copies of Web pages a user visited on the phone; TD Ameritrade's iPhone and Android apps were storing the user name in plain text on the phone; Wells Fargo's Android app stored user name, password, and account data in plain text on the phone; Bank of America's Android app saves a security question (used if a user was accessing the site from an unrecognized device) in plain text on the phone; and Chase's iPhone app stores the username on a phone if the user chose that option, according to the report. Meanwhile, the iPhone apps from USAA, Bank of America, Wells Fargo, and Vanguard and PayPal's Android app all passed the security tests and were found to be handling data securely."
Banks are totally secure, this is obviously propaganda
http://cache.gawkerassets.com/assets/images/7/2010/05/500x_sjobs1.jpg
"freedom from programs that steal your private data"
I think he meant:
"freedom from programs that will notify you that other programs are stealing your private data"
But how is Chase's App on iPhone "insecure" when it is the user's responsibility to not leave their username laying around ?
Sounds like a win for the iPhone
my karma will be here long after I'm gone
Most institutions are concerned with whether they are legally covered and covered adequately for insurance purposes. Merely being covered to prevent customers from having money stolen is much, much less important. The concern of the higher-ups will be "did they sign our agreement that says we're protected" more than "Are our customers actually protected?"
IT systems are a tool, like an axe or a chainsaw. The problem is you may not realize you want steel-toed boots until your foot protests strenuously at being attacked.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
Let's not get so excited about the future that we forget the mistakes of the past folks....
These apps have the ability to remember the users credentials. The program can either store it in plain text or in a reversibly encrypted manner. There is only marginal benefit to encryption as someone can quickly figure out how to reverse it. The solution is to not store the username or password, but then people would simply ask for that feature. Any bet the apps transmit the username/password in cleartext as well?
All?!
I mean, seriously, what else can you get away with today?
I hope I didn't brain my damage.
I still have a landline. To do my banking, I call my bank and enter my account number, which I have memorized. In rare instances (say, on the interstate while driving across the U.S.) I have called my bank from my cell phone, a Nokia 3589i. If people want to access their bank account from a smartphone, that's fine with me, but personally I don't want anything to do with it. It'd be nice to see the banks & telecoms held to a standard --beaten over the head, if need be-- whereby such carelessness & wrecklessness would never see the light of day.
I can really use the extra cash before Christmas.
I read this story immediately since I use one of the listed apps but it wasn't until the end that I saw that it was only the apps running on Android. Should have had the modifier "Android" in the title.
Are Apple's policies or requirements for their app store responsible for this not being an iPhone problem?
Nate
I have to deal with this BS at work all the time
"...But that password is plain text!"
"Well, the program has to read it. I can encrypt it, but then the app will just have to decrypt it, which means there will be a decryption key in plain text"
"Then encrypt the key!"
"...errr...."
etc etc.
Either you allow the user to save their login and password every time, and store it REVERSIBLY, or you don't allow it. If the decryption is reversible then it is totally irrelevant and might as well be plain text, since the "encryption" is no better than ROT-13 if the key is right there for anyone to get.
I wouldn't trust those banking apps to not rip me off or expose me, since they're made by the banks. The banks are untrustworthy.
What we need is a standard for consumer banking transactions with any bank server. Then a single client could connect to multiple banks, or to a single one even when it changes its style and services. I would install the banking client app that I trusted and preferred. One view of all my finances, including my IRA, insurance, mortgage, savings, checking, stock market, even perhaps debts owed to/from individual people. In fact I'd like such a client to keep a database of all my financial transactions, including all bills. I'd like it to keep records of every "automatic withdrawal". I'd like it to use my phone to alert me to deposits and withdrawals if I wish, including "OK/Cancel" per transaction. I'd like it to lock each payment with a one time password it generates and sends, instead of using my credit card number in the clear all the time.
Some desktop apps, like Quicken, already do some things like this. But it's time that all my finances are handled by an app I trust that doesn't come from the server that has an interest conflict with me in reporting transactions, that is simple enough without lots of "financial planning" baggage necessarily coming with it. This has been true for email and websites for decades, as well as every other successful kind of info transaction over networks for even longer. It's long past time to leave the consumer side of the banking to businesses actually in the business of serving consumers. Banks are not in that business, haven't been in a long time, and show less and less real interest or reliability in returning to it.
--
make install -not war
Chase's iPhone app stores the username on a phone if the user chose that option,
who would have thunk?
I have an ipod touch laying around and it continually asks me for my password every time to do anything in the app store even if I just entered my damned password a few moments ago... This is rediculous and annoying.
WRT storing passwords in plain text on the device it is no more secure than storing a hashed password or reversably encrypted password... If whatever is stored will unlock access to your account it makes no difference what format the stored data is kept.
One app stored password from the article - all the others failed because they stored just username. oh no..OMG..this is terrible..
It just annoys people to no end to have to login again and again and again to do simple things day in and day out. What difference does it make if another app compromises your device WHILE your banking app is running or compromises it later when it is not? I'm sick of security theatre and mobile platforms that continue to not be designed to be secure by default.
Hint hint if mobile applications in an appstore need to be reviewed for malicious intent to protect the end user then the whole platform is crap from a security POV.
... for the same reason that there isn't a little box to write your PIN number in on ATM cards. If you offer people a less secure but simpler alternative then many of them will use it out of shear, if understandable, ignorance of the implications. Since leaving your username information "laying around" is a security concern, the only way to keep the mass of people from making things less secure is to not offer the option in the first place. It is the responsibility of the banks, who have security experts, to make things more secure. It cannot sit on the shoulders of the masses, as you suggest it should, because it is a known fact that most people using the app are not security experts.
Indeed, by offering the option, they are implying that there is no issue with using it.
HTH
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Ignoring for the moment that such a phenomenally stupid move would have not only made the article, but also surely have been the focus of the article title, it is absurd to suggest that they aren't using https, as they have been doing properly for years.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I use the Chase iphone app and am perfectly happy with its security. I did not opt to store my username on the phone and therefor my security was never in a perilous state. People who chose to store their username on the phone have a SLIGHTLY less secure system, but probably chose to do so because their password is very secure or they just don't care. I think this is more about people than systems.
Those who would choose Steve Jobs' insecurity over freedom deserve the first one. I'd rather be at risk for shit by banking on my phone (I don't even use a credit card) than to feed a megalomaniac.
Just because a PayPal app might be handling data correctly doesn't mean another app isn't attaching to the keyboard TTY and sniffing your keystrokes, or accessing data through another mechanism. This is what happened to me on the iPhone with PayPal, and I got ripped off.
This is the risk we take with new technology. Everyone wants to jump on board without really understanding the inherent risks and assuming manufacturers like Apple (who was silent to my forensic evidence) does the right thing or is even capable of auditing every line of code. Early on, I am willing to bet the Apple App Store was rife with programs either inappropriately accessing or outright stealing personal data. Look at what's been going on with Android. There's a market for that stuff -- we must keep that in mind.
The bottom line for me is I will never do any "sensitive" (financial) type work on a mobile device.
you mean, like this anti android and pro iphone slashturfing? Why turfers care to try to convince the majority of iFags in here anyway, talk about preaching to the choir
THIS JUST IN! Interner Explorer 6 SAFER than Android! WWS(teve)D??
Meanwhile, the iPhone apps from USAA, Bank of America, Wells Fargo, and Vanguard and PayPal's Android app all passed the security tests and were found to be handling data securely.
This article is attempting to make iPhone look less problematic then Android based phones.
Examples:
- why don't they list the uneffected Android apps as they do for iPhone?
- why don't they mention that the Android paypal app is uneffected unlike how it effects the iPhone?
- why would they provide a link to "Google Android" and not "iPhone iOS" other then to highlight "Android" in bright blue along with the title of this article?
Question: where does C-net disclose its conflict of interest in their articles? Provide link please.
Its a google webView 'feature' that is enabled by default and all password protected sites viewed via a custom application has the same problem.
US Bank's Android and iPhone apps are what interest me.
Young and foolish developers are mostly the ones who have had time to really move onto mobile platforms. Whaddya expect from whipper snappers that haven't lived through the wars?
start issuing keyfobs and be done with it.
comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
I suppose no one would have read a story titled "Minor (If we really stretch medium)" security holes found in bank apps.
physical access = game over.
full memory and disk access = game over.
anyone that says otherwise is lying to you.... anyone continuing to point it out as if it is news is an ignorant marketeer.
I have a pin lock enabled on my iPhone. Why shouldn't I have this option?
If banks cared about teh fraud caused by plain text, stored usernames, then they'd fix it. Evidently its not an issue as it costs them money. Or is this another one of the "security fixes" that no one would ever use or care about. Paranoid people really irk me sometimes.
I've had numerous discussions with my credit union about their inadequate response to computer security.
For instance, their customer service messaging is handled through a third party, so e-mails will reference a third party URL that seemingly has nothing to do with the credit union. I've tried to explain phishing attacks to the credit union to no avail.
At the same time, their customers are pressuring them to support transactions via the phone. What a disaster. The sad part is, as a credit union member, I suffer, because my savings interest rates will decline due the inevitable write-offs.
Already, we've seen responsible credit unions take a massive hit -- on September 24, 2010 the National Credit Union Administration (NCUA) placed 3 corporate credit unions in conservatorship. As a result, $30-35MM in bonds will be issued by NCUA to cover the bad credit unions. The member credit unions take the hit, and my credit union lost $2MM.
From an e-mail with my credit union:
NCUA also operates the federal deposit program for credit unions. This fund is called the National Credit Union Share Insurance Fund (NCUSIF). This fund is capitalized by deposits from individual credit unions and backed by the full faith and credit of the U.S. Government. Insured credit unions deposit 1% of their insured shares into the fund on an annual basis. The fund balance must operate between 1 – 1.3% of insured deposits. Anytime the fund does not stay above the target rates established by the NCUA we must make premium payments to recapitalize the fund. In 2010 our recapitalization rate was 12 basis points or $480,000. These expenses are part of the Credit Union’s operating expenses on any given year.
At the end of the day, I suspect we either need scanning on the phones, or a secure fob that produces one time passwords that get entered into a website. I think just about everything else is open to attack.
Yes, fobs are expensive. Suck it up, banks! How much more bailout money do you need?
TFA:
>You could "trick the user with a fishing fake email" Mr. Hoog said.
Hope no one likes trout!
As a USAA employee, I can assure you some ONE is looking into this on a Friday night...
cough
I guess you missed that line in the summary
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
scanning as in fingerprint scanning? all i can say to that is "L.O.L."
fingerprint scanning is james bond shit that has nothing to do with and no place in real security.
Snowden and Manning are heroes.
A hole can be fixed. An app that saves data, plain-text or not, is just that. The real issue is WHERE these apps are running: on mobile devices which, if not properly secured, serve as an easy target when stolen or lost. Is a non-secured iPhone filled with holes since all of your contacts, e-mail, etc. is stored in plain-text?
Gfuss
Because I use the BoA app and it NEVER remembers my device, but apparently knows the answer to my question ahead of time =/
Arguing with an engineer is like wrestling a pig in mud. Soon, you realize the pig is dirty, and he likes it.
IE6 is still the most popular browser in financial institutions. 'nuf said.
Really, I mean come on, after 20 years of online banking, they would come back to these junior level mistakes.
Someone should lose their job for lack of competence...and I am not talking about the junior programmers!
Quality control is management level responsibility, and if you have no nunit testing tools, or diagnostics tools, you hire a firm that does, especially when dealing with banking info like this.
Thanks to the company that did the research , we nipped it in the bud, how many more problems like this are out there though....
I would donate to this company to keep doing this type of research, and also help push the word of donations to all who would use online banking, it could become a staple in online affairs, a company like this one gets enough money to continue what they started, and find all the bugs on iphone apps for online banks of all sorts.