Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mobile Banking Apps For iOS Woefully Insecure

Posted by Soulskill on from the raise-your-hand-if-you're-surprised dept.

msm1267 writes "Mobile banking applications fall short on their use of encryption, validation of digital certificates and two-factor authentication, putting financial transactions at risk worldwide. An examination of 40 iOS mobile banking apps from 60 leading banks worldwide revealed a slew of security shortcomings that also included hard-coded development credentials discovered during a static analysis of app binaries. It's a mess, and to date, most of the banks have been informed and none have provided feedback indicating the vulnerabilities were patched."

5 of 139 comments (clear)

  1. feedback by Threni · · Score: 5, Insightful

    How long do you think it'll take them to come back with feedback? They'll need to work out whose fault it was, who they can blame, what they're going to do about it, the impact of blaming the people whose fault it wasn't, and all the time looking good to upper management. Lessons will be learnt, and this will definitely not happen again, just like always.

    1. Re:feedback by buddyglass · · Score: 5, Interesting

      I'm responsible for the Android offering of one such vendor. We currently have about 140 small banks running some version of our app. We try to follow most of the security guidelines outlined in this article, but to give our customers added assurance we pay a security company to analyze the most current version of our app (and our back-end services) every six months or so. Not the one responsible for this article, though I imagine they're a competitor of the one we use. Was a good read. I forwarded it to my boss and the coworkers responsible for our iOS app.

  2. Re:You Must Be Crazy ... by 0123456 · · Score: 5, Interesting

    Who's writing keylogging malware for CentOS?

  3. these guys pushed the 4 digit pin by RichMan · · Score: 5, Funny

    The banking people made the glory of the 4 digit decimal PIN authentication a universal standard.
    I am sure they know all about very secure systems and the public domain.

  4. Re:List of Vulnerable Banks / Bank Apps, Please? by Anonymous Coward · · Score: 5, Insightful

    While I agree a list would be nice, please don't spread lies that this is "basic" programming. If it were, there wouldn't be so many issues.

    Hardening and securing an application against sophisticated attacks (yes, I know not all of the attacks are 'sophisticated') is a non-trivial piece of work requiring expert knowledge and experience in security programming. I doubt you could do it. I doubt most people here could do it. I consider myself an expert software developer and I doubt I could do it.

    More to the point, spreading the myth that this is "basic" is exactly the sort of attitude that allows these practices to continue. When Joe Graduate hears how "basic" and "easy" this securing software stuff is, from people like you that have no clue, they go off and do it themselves. It's easy, right? Rather than respecting this field for what it is - highly specialized and difficult work - the exact problem that needs solving is perpetuated by your snarky and uninformed attitude.

    So for everybody's sake, just cut the condescending attitude. Thanks.