Mobile Banking Apps For iOS Woefully Insecure

← Back to Stories (view on slashdot.org)

Mobile Banking Apps For iOS Woefully Insecure

Posted by Soulskill on Friday January 10, 2014 @11:06AM from the raise-your-hand-if-you're-surprised dept.

msm1267 writes "Mobile banking applications fall short on their use of encryption, validation of digital certificates and two-factor authentication, putting financial transactions at risk worldwide. An examination of 40 iOS mobile banking apps from 60 leading banks worldwide revealed a slew of security shortcomings that also included hard-coded development credentials discovered during a static analysis of app binaries. It's a mess, and to date, most of the banks have been informed and none have provided feedback indicating the vulnerabilities were patched."

26 of 139 comments (clear)

Min score:

Reason:

Sort:

feedback by Threni · 2014-01-10 11:09 · Score: 5, Insightful

How long do you think it'll take them to come back with feedback? They'll need to work out whose fault it was, who they can blame, what they're going to do about it, the impact of blaming the people whose fault it wasn't, and all the time looking good to upper management. Lessons will be learnt, and this will definitely not happen again, just like always.
1. Re:feedback by buddyglass · 2014-01-10 15:25 · Score: 5, Interesting
  
  I'm responsible for the Android offering of one such vendor. We currently have about 140 small banks running some version of our app. We try to follow most of the security guidelines outlined in this article, but to give our customers added assurance we pay a security company to analyze the most current version of our app (and our back-end services) every six months or so. Not the one responsible for this article, though I imagine they're a competitor of the one we use. Was a good read. I forwarded it to my boss and the coworkers responsible for our iOS app.
2. Re:feedback by TheRaven64 · 2014-01-11 03:31 · Score: 2
  
  The question that you should be asking is what happens if the browser is compromised. It doesn't matter if JavaScript is enabled, if some malware controlling your browser lets the attacker make arbitrary payments then your bank is doing it wrong. To pay anyone I've not paid before (and saved the credentials for) via Internet backing, my bank requires me to enter a code that they provide and the recipients account number and the amount in either a mobile phone app or a separate device, which then generates a code that I have to enter into the browser. If an attacker can compromise both my computer and my mobile device, then they can make arbitrary payments, but if they just compromise the browser they can't.
  
  --
  I am TheRaven on Soylent News
You Must Be Crazy ... by jasnw · 2014-01-10 11:14 · Score: 4, Interesting

... to bank from your cellphone. Call me paranoid and old-fashioned (I admit to being both), but if I do on-line banking at all I do it from my own home computer on a wired LAN. OK, so I can't do all the wild-and-crazy things these mobile banking apps allow, but I also am likely to have my money in my bank in my account at the end of the day and not in a bank account in Siberia somewhere.
1. Re:You Must Be Crazy ... by Anonymous Coward · 2014-01-10 11:19 · Score: 4, Interesting
  
  I'd argue that on a non-jailbroken iOS device you might be more secure than on your home computer and wired LAN. Your home computer is far more likely to be infected with keylogging malware or similar.
2. Re:You Must Be Crazy ... by 0123456 · 2014-01-10 11:22 · Score: 5, Interesting
  
  Who's writing keylogging malware for CentOS?
3. Re:You Must Be Crazy ... by burne · 2014-01-10 11:35 · Score: 3, Informative
  
  No need to, it's built into the OS. It even has a nice cli to handle starting, stopping and logging. ttysnoop.
  However, getting sufficient permissions is the hard bit, especially for a remote attacker.
4. Re:You Must Be Crazy ... by S.O.B. · 2014-01-10 13:00 · Score: 2
  
  Who's writing keylogging malware for CentOS?
  That's just what the NSA wants you to think.
  
  --
  Some of what I say is fact, some is conjecture, the rest I'm just blowing out my ass...you guess.
5. Re:You Must Be Crazy ... by icebike · 2014-01-10 14:02 · Score: 3, Insightful
  
  The government already has access to my bank account. They don't need to break into my computer to get it.
  .
  (Not discounting they might have broken into my computer for some other reasons).
  
  --
  Sig Battery depleted. Reverting to safe mode.
6. Re:You Must Be Crazy ... by Savage-Rabbit · 2014-01-10 22:43 · Score: 2
  
  The government already has access to my bank account. They don't need to break into my computer to get it.
  They'd be interested in your password though.
  Either in case you re-use it elsewhere or to help them guess the type of passwords you'd use for other accounts.
  Why would they need a password? Judging from what we have learned about NSA standard practice all they have to do is show up at your bank, twist some arms, drop the words "We're post 911 here, are you telling us you are refusing to contribute to national security?" and your bank will set up a dedicated back-door that allows them to access any data they want.
  
  --
  Only to idiots, are orders laws.
  -- Henning von Tresckow
7. Re:You Must Be Crazy ... by tsa · 2014-01-11 01:22 · Score: 2
  
  Woosh...
  
  --
  -- Cheers!
8. Re:You Must Be Crazy ... by TheRaven64 · 2014-01-11 03:33 · Score: 2
  
  Not necessarily. Most USB keyboards have firmware stored on a flash chip that has some spare capacity, and a lot have built-in USB hubs. There was at least one proof of concept for a keylogger that would record things to the on-board flash and then dump them to a specific USB device when it was inserted, then erase the on-board flash (rewriting the bit that contained some of the firmware) ready to start again.
  
  --
  I am TheRaven on Soylent News
9. Re:You Must Be Crazy ... by multimediavt · 2014-01-11 04:14 · Score: 2
  
  Who's writing keylogging malware for CentOS?
  Oh, I know this one! What is the NSA, Alex?
Seriously, guys? by fuzzyfuzzyfungus · 2014-01-10 11:21 · Score: 3, Insightful

So, are these banks' websites just as bad, or did they actually manage to re-implement something worse than just wrapping their site in a suitable stylesheet and calling that 'an app'? If the latter, how do they look themselves in the mirror every morning?
these guys pushed the 4 digit pin by RichMan · 2014-01-10 11:22 · Score: 5, Funny

The banking people made the glory of the 4 digit decimal PIN authentication a universal standard.
I am sure they know all about very secure systems and the public domain.
1. Re: these guys pushed the 4 digit pin by baker_tony · 2014-01-10 13:46 · Score: 2
  
  That's why my pin is 9999!
2. Re:these guys pushed the 4 digit pin by TheRaven64 · 2014-01-11 03:38 · Score: 2
  
  The other part of the shift to chip-and-pin was the liability. If a merchant accepts a transaction with the magnetic strip, and the customer disputes it, then the merchant is liable, not the bank.
  
  --
  I am TheRaven on Soylent News
My bank's app... by grub · 2014-01-10 11:23 · Score: 2

TD Canada Trust appears to not use case sensitive passwords or allow special characters. Try it with your password using UPPER, lower and MiXEd case.

--
Trolling is a art,
List of Vulnerable Banks / Bank Apps, Please? by IonOtter · 2014-01-10 11:34 · Score: 3, Insightful

Which banks, please? Can we please have a list of which banks fail basic programming???

--
[End Of Line]
1. Re:List of Vulnerable Banks / Bank Apps, Please? by Anonymous Coward · 2014-01-10 11:56 · Score: 5, Insightful
  
  While I agree a list would be nice, please don't spread lies that this is "basic" programming. If it were, there wouldn't be so many issues.
  Hardening and securing an application against sophisticated attacks (yes, I know not all of the attacks are 'sophisticated') is a non-trivial piece of work requiring expert knowledge and experience in security programming. I doubt you could do it. I doubt most people here could do it. I consider myself an expert software developer and I doubt I could do it.
  More to the point, spreading the myth that this is "basic" is exactly the sort of attitude that allows these practices to continue. When Joe Graduate hears how "basic" and "easy" this securing software stuff is, from people like you that have no clue, they go off and do it themselves. It's easy, right? Rather than respecting this field for what it is - highly specialized and difficult work - the exact problem that needs solving is perpetuated by your snarky and uninformed attitude.
  So for everybody's sake, just cut the condescending attitude. Thanks.
Re:That is shit. by spatley · 2014-01-10 11:35 · Score: 2

E: (all of the above)
I'm shocked. by binaryhermit · 2014-01-10 11:38 · Score: 2, Funny

Banks doing something insecure? What's next? The government capturing all internet traffic in the name of stopping terrorism?
Re:Relying on internal 'talent' by fuzzyfuzzyfungus · 2014-01-10 11:40 · Score: 4, Insightful

What surprises me is that TFA mentioned multiple cases of things like failure to validate SSL certs, use of unencrypted assets rendered by the app in ways that could be spoofed dangerously, and similar stuff that wouldn't have gotten past their web people; but apparently are A-OK because it isn't a web browser, it's an 'app' wrapped around the UIWebView class!

The other things they mention, assorted attacks or failures to mitigate against an attacker with priviledged access to the system, aren't good; but they are both less dangerous (at least to people running stock iOS) and more novel and platform-specific. The first class of bugs, though, should have been solved a decade or more ago when they started dabbling in this 'web' stuff.
It's in the repo by Anonymous Coward · 2014-01-10 11:42 · Score: 2, Funny

Try "yum install logkeys"
What's Their Purpose? by organgtool · 2014-01-10 12:38 · Score: 2

Can someone please explain to me why someone needs a separate app to do their banking? As a matter of fact, can anyone explain why we need most of the apps that are just poor rewrites of web sites? Why not make a good mobile version of the web site that users can bookmark as icons on their home screen and call it a day?
Re:The recommendations in TFA by buddyglass · 2014-01-11 08:39 · Score: 2

I'm not arguing that obfuscation and anti-debug techniques are sufficient; I'm arguing that they aren't completely useless. Take whatever other security measures make sense and then turn on obfuscation and anti-debug on top of that just to dissuade "casual" (read: lazy) attackers.