Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Security Holes Found In Mobile Bank Apps

Posted by Soulskill on from the and-you-can-take-that-to-the-uh-nevermind dept.

NeverVotedBush writes with this excerpt from CNet: "A security firm disclosed holes today in mobile apps from Bank of America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a scramble by most of the companies to update the apps. ... Specifically, viaForensics concluded that: the USAA's Android app stored copies of Web pages a user visited on the phone; TD Ameritrade's iPhone and Android apps were storing the user name in plain text on the phone; Wells Fargo's Android app stored user name, password, and account data in plain text on the phone; Bank of America's Android app saves a security question (used if a user was accessing the site from an unrecognized device) in plain text on the phone; and Chase's iPhone app stores the username on a phone if the user chose that option, according to the report. Meanwhile, the iPhone apps from USAA, Bank of America, Wells Fargo, and Vanguard and PayPal's Android app all passed the security tests and were found to be handling data securely."

13 of 107 comments (clear)

  1. Institutions by Oxford_Comma_Lover · · Score: 4, Informative

    Most institutions are concerned with whether they are legally covered and covered adequately for insurance purposes. Merely being covered to prevent customers from having money stolen is much, much less important. The concern of the higher-ups will be "did they sign our agreement that says we're protected" more than "Are our customers actually protected?"

    IT systems are a tool, like an axe or a chainsaw. The problem is you may not realize you want steel-toed boots until your foot protests strenuously at being attacked.

    --
    -- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
  2. Plaintext user data storage? by TravTrav · · Score: 2, Interesting

    Let's not get so excited about the future that we forget the mistakes of the past folks....

  3. Re:iPhone win? by TheRaven64 · · Score: 3, Funny

    He means that, after buying an iPhone and the associated contract, there won't be anything left in your bank account to steal, so iPhone users are not vulnerable to this problem.

    --
    I am TheRaven on Soylent News
  4. Re:iPhone win? by Anonymous Coward · · Score: 5, Insightful

    This is not a platform battle. The banks clearly take shortcuts or hire developers unfit for the task.
    Maybe the iPhone developers also developed the Android apps and were not properly educated on Android development (just a thought).

  5. Re:So what? by GCsoftware · · Score: 5, Informative
    I take it you've never heard of the OS-level security feature called Keychain, present on both OS X and iOS - basically, it's a way of storing data in an encrypted form, using the user's login password (or PIN) as the seed for the encryption key. Not unbreakable, but surely a hell of a lot better than plaintext.

    Considering this ships as default with the OS, it's inexcusable to not use it. Morons.

    See below for more details:

    http://developer.apple.com/library/ios/#documentation/Security/Conceptual/keychainServConcepts/iPhoneTasks/iPhoneTasks.html
    http://en.wikipedia.org/wiki/Keychain_(Mac_OS)

  6. +1 Insightful by brunes69 · · Score: 2, Interesting

    I have to deal with this BS at work all the time

    "...But that password is plain text!"
    "Well, the program has to read it. I can encrypt it, but then the app will just have to decrypt it, which means there will be a decryption key in plain text"
    "Then encrypt the key!"
    "...errr...."

    etc etc.

    Either you allow the user to save their login and password every time, and store it REVERSIBLY, or you don't allow it. If the decryption is reversible then it is totally irrelevant and might as well be plain text, since the "encryption" is no better than ROT-13 if the key is right there for anyone to get.

    1. Re:+1 Insightful by cookd · · Score: 3, Insightful

      You've over-simplified the problem and created a false dichotomy. There are many solutions that are more secure than plain-text. It's not a binary decision. You are correct in that you can't get perfect security, but that doesn't mean you can't do better than plain-text. Perfect is the enemy of good.

      First, while you cannot achieve true security through obfuscation, you can certainly improve your odds. If I steal a computer and scan cookies and documents looking for passwords, I'm more likely to find and use passwords stored in plaintext than I am to find passwords stored with some kind of reversible encryption. Sure, anybody who knows the details of my app will be able to get the passwords, but that doesn't mean I have to make it obvious and advertise the password data -- make it hard for them, and you'll probably stop 99% of the attacks.

      Second, there are often operating system features for storing secure data. The data can be encrypted using the user's password, which is stored in kernel memory on the running system, but is not directly stored on the hard disk (the hard disk stores a hash, not the password itself). Your application can ask the OS to store a secret value, and later you can ask for that value back again. The OS will only be able to give you back the original value if the user is logged on with a correct password. (The OS handles re-encrypting the necessary keys each time the user's password changes.) In Windows, you use the CryptProtectData function. I'm not as familiar with other OS APIs, but I'm sure there are similar APIs on other systems. Not available in restricted scenarios (hard to do this from JavaScript running in the browser), but you should take advantage of the facility if you can.

      Finally, if you own both ends of the system (client and server), you can provide challenge/response security that can be pretty strong by using hashes and public/private keys. This is harder, but you can get good security this way. Even in JavaScript.

      --
      Time flies like an arrow. Fruit flies like a banana.
  7. Re:It couldn't be... by Pharmboy · · Score: 3, Funny

    That may be true but I keep my cash stuffed in my mattress.

    And thanks to the facebook leak, google maps and the average persons willingness to announce their plans on twitter, it is even easier to steal it from your mattress.

    --
    Tequila: It's not just for breakfast anymore!
  8. Standard Banking Client by Doc+Ruby · · Score: 2, Insightful

    I wouldn't trust those banking apps to not rip me off or expose me, since they're made by the banks. The banks are untrustworthy.

    What we need is a standard for consumer banking transactions with any bank server. Then a single client could connect to multiple banks, or to a single one even when it changes its style and services. I would install the banking client app that I trusted and preferred. One view of all my finances, including my IRA, insurance, mortgage, savings, checking, stock market, even perhaps debts owed to/from individual people. In fact I'd like such a client to keep a database of all my financial transactions, including all bills. I'd like it to keep records of every "automatic withdrawal". I'd like it to use my phone to alert me to deposits and withdrawals if I wish, including "OK/Cancel" per transaction. I'd like it to lock each payment with a one time password it generates and sends, instead of using my credit card number in the clear all the time.

    Some desktop apps, like Quicken, already do some things like this. But it's time that all my finances are handled by an app I trust that doesn't come from the server that has an interest conflict with me in reporting transactions, that is simple enough without lots of "financial planning" baggage necessarily coming with it. This has been true for email and websites for decades, as well as every other successful kind of info transaction over networks for even longer. It's long past time to leave the consumer side of the banking to businesses actually in the business of serving consumers. Banks are not in that business, haven't been in a long time, and show less and less real interest or reliability in returning to it.

    --

    --
    make install -not war

  9. Re:This is an Android App Security Story by Bigjeff5 · · Score: 2, Insightful

    Apparently you can't read, since there at least two iPhone apps in the insecure list (granted, there were four Android apps in the list, and only one Android app that passed vs 4 iPhone apps).

    It seems more likely that, for whatever reason, iOS financial app developers tend to be more diligent than Android financial app developers.

    It's still bad for Android, but not the same kind of bad. And it certainly doesn't warrant changing the summary title given the fact that iPhone apps are insecure as well, and the problems are related to how the Apps were developed, not the OS's themselves.

    --
    Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
  10. OH! OH! I know! Pick Me ! by Zero__Kelvin · · Score: 4, Insightful

    "But how is Chase's App on iPhone "insecure" when it is the user's responsibility to not leave their username laying around ?"

    ... for the same reason that there isn't a little box to write your PIN number in on ATM cards. If you offer people a less secure but simpler alternative then many of them will use it out of shear, if understandable, ignorance of the implications. Since leaving your username information "laying around" is a security concern, the only way to keep the mass of people from making things less secure is to not offer the option in the first place. It is the responsibility of the banks, who have security experts, to make things more secure. It cannot sit on the shoulders of the masses, as you suggest it should, because it is a known fact that most people using the app are not security experts.

    Indeed, by offering the option, they are implying that there is no issue with using it.

    HTH

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  11. Write misleading headlines much? by Wovel · · Score: 2, Interesting

    I suppose no one would have read a story titled "Minor (If we really stretch medium)" security holes found in bank apps.

  12. Re:Totally biased article by jeff4747 · · Score: 2, Insightful

    I seriously question your ability to read, as the first two of your examples are refuted in your quote from the article.

    You'll also have to turn in your 'geek' card for not understanding how CNet's automatic link generation works.