Major Security Holes Found In Mobile Bank Apps 107
NeverVotedBush writes with this excerpt from CNet:
"A security firm disclosed holes today in mobile apps from Bank of America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a scramble by most of the companies to update the apps. ... Specifically, viaForensics concluded that: the USAA's Android app stored copies of Web pages a user visited on the phone; TD Ameritrade's iPhone and Android apps were storing the user name in plain text on the phone; Wells Fargo's Android app stored user name, password, and account data in plain text on the phone; Bank of America's Android app saves a security question (used if a user was accessing the site from an unrecognized device) in plain text on the phone; and Chase's iPhone app stores the username on a phone if the user chose that option, according to the report. Meanwhile, the iPhone apps from USAA, Bank of America, Wells Fargo, and Vanguard and PayPal's Android app all passed the security tests and were found to be handling data securely."
Re: (Score:2)
Banks are totally secure, this is obviously propaganda
That may be true but I keep my cash stuffed in my mattress. It may not have a 'mobile app', and there aren't many ATM's on the 'Mattress Network', but I'm able to work within those limitations.
Re:It couldn't be... (Score:4, Funny)
That may be true but I keep my cash stuffed in my mattress.
And thanks to the facebook leak, google maps and the average persons willingness to announce their plans on twitter, it is even easier to steal it from your mattress.
I can see the problems. (Score:1)
But how is Chase's App on iPhone "insecure" when it is the user's responsibility to not leave their username laying around ?
OH! OH! I know! Pick Me ! (Score:5, Insightful)
... for the same reason that there isn't a little box to write your PIN number in on ATM cards. If you offer people a less secure but simpler alternative then many of them will use it out of shear, if understandable, ignorance of the implications. Since leaving your username information "laying around" is a security concern, the only way to keep the mass of people from making things less secure is to not offer the option in the first place. It is the responsibility of the banks, who have security experts, to make things more secure. It cannot sit on the shoulders of the masses, as you suggest it should, because it is a known fact that most people using the app are not security experts.
Indeed, by offering the option, they are implying that there is no issue with using it.
HTH
Re: (Score:2)
I guess you missed that line in the summary
iPhone win? (Score:1, Troll)
Re: (Score:2)
Re:iPhone win? (Score:4, Funny)
Re: (Score:2)
If someone was foolish enough to steal from an iPhone user, they would get whacked in the head by Crazy Steve [gstatic.com] and his magic Apple TV!
Re: (Score:1)
Sorry .. I think its YOU that did not read the summary ..
Or perhaps you failed math ..
4 mentions of iphone app 'doing it right'
1 mention of a android being OK ( even tho the one they mention is NOT A BANK !!! )
4 about android failing
2 iphone apps being broken ..
whats that .. android -3 Iphone 2 .. Where is that NOT a win ??
Re: (Score:2)
I wonder how jack felt abotu forced castration...
Re: (Score:1)
Re:iPhone win? (Score:5, Insightful)
This is not a platform battle. The banks clearly take shortcuts or hire developers unfit for the task.
Maybe the iPhone developers also developed the Android apps and were not properly educated on Android development (just a thought).
Re: (Score:2)
I think because the iPhone apps have to be reviewed by Apple is why they are much better in that regard
Re: (Score:1)
You mean the same review process that keeps letting apps through that clearly violate Apple's policies (WiFi sharing, emulators, etc.), only to have them pulled within a day when Apple finally hears about it from users?
Apple is clearly incapable of determining reliably what the major function of an application is, so you're incredibly naive if you think they are able to figure out something like whether an app stores a password somewhere.
Institutions (Score:4, Informative)
Most institutions are concerned with whether they are legally covered and covered adequately for insurance purposes. Merely being covered to prevent customers from having money stolen is much, much less important. The concern of the higher-ups will be "did they sign our agreement that says we're protected" more than "Are our customers actually protected?"
IT systems are a tool, like an axe or a chainsaw. The problem is you may not realize you want steel-toed boots until your foot protests strenuously at being attacked.
Re: (Score:2)
Most institutions are concerned with whether they are legally covered and covered adequately for insurance purposes.
I have to say I don't know of a single insurance company that knows enough to require software quality.
Maybe they do, but while I've been in several situations where government authorities mandated the use of quality standards, I've never seen that on any non-government-regulated software system.
Plaintext user data storage? (Score:2, Interesting)
So what? (Score:2)
These apps have the ability to remember the users credentials. The program can either store it in plain text or in a reversibly encrypted manner. There is only marginal benefit to encryption as someone can quickly figure out how to reverse it. The solution is to not store the username or password, but then people would simply ask for that feature. Any bet the apps transmit the username/password in cleartext as well?
Re: (Score:2)
Agreed - it drives me nuts when app makers deny me the ability to cache passwords/etc. It drives me nuts that chromium stopped caching passwords at the request of the requesting pages a few months ago.
If I want it to remember my password, I'll tell it to. If I don't want it to remember my password, I'll tell it not to. Either way my password gets recorded in a safe place - I can't set and remember 487 unique passwords for all the sites I visit. I just don't want app writers dictating that choice for me.
Re: (Score:2)
...Either way my password gets recorded in a safe place...
The whole point is that the password may not be getting recorded in a safe place. Plaintext is obviously a poor choice, but it's also a common practice.
Re: (Score:2)
What practical alternative do you offer, beyond making the user type it every time? At best you can encrypt it using a different password, which you have to type every time (at least that is only one password to remember, but only if the phone provides some kind of central support for this).
Plaintext or encrypted makes no difference - if the key is stored on the phone anyway. What passes for "encrypted" in most applications is really just obfuscation.
Re: (Score:2)
Re: (Score:2)
Not a bad idea. Also, I'd have to insist that all devices get delivered without keys, so that there is no way to know if a key is the original one or one that was later generated. Also, as the owner of the device I should be able to choose whether the device generates a key that never leaves the device, or one that it provides a copy to me for safe keeping. The device should never remember disclose which option was chosen.
This is necessary to defeat trusted computing approaches. If the device locks up k
Re: (Score:2)
Re: (Score:2)
I'd add generateKey as well - for secure key generation (without any way to distinguish which way the key got there). However, what you suggest seems fine.
I'd also arrange that by law devices come without any key and that they are generated when the consumer first uses the device. The wipekey function would need to be easily accessible by an end-user as well. Again, the purpose for this is to make this very useful for security purposes, and useless for trusted computing purposes.
Re:So what? (Score:5, Informative)
Considering this ships as default with the OS, it's inexcusable to not use it. Morons.
See below for more details:
http://developer.apple.com/library/ios/#documentation/Security/Conceptual/keychainServConcepts/iPhoneTasks/iPhoneTasks.html [apple.com]
http://en.wikipedia.org/wiki/Keychain_(Mac_OS) [wikipedia.org]
Re: (Score:2)
Isn't that the "reversable encryption" he mentioned?
Or am I wrong on that?
And no reversible encryption is unbreakable, they are simply unbreakable given a certain amount of time and resources. Good encryption takes thousands of years to break with current technology.
Re: (Score:1)
So no, not quite the same. In case a device is stolen, the attacker would need to have access to the user's password or PIN (I think the iPhone encrypts the device's whole storage anyway if it is PIN-protected, so you can't j
Re: (Score:1)
The iPhone encrypts the storage so that it can wipe by merely overwriting the key instead of the whole storage. It's not really encryption for most intents.
Re: (Score:1)
And trying to bruteforce the PIN code would cause the device to get wiped / locked?
I'm asking, because if this is not the case, then bruteforcing the Keychain might be trivial assuming most people use 4-5 number PINs...
Re: (Score:2)
The PIN seems to be irrelevant, actually.
In iOS, an application always has access to its own keychain items and does not have access to any other application’s items. The system generates its own password for the keychain, and stores the key on the device in such a way that it is not accessible to any application. When a user backs up iPhone data, the keychain data is backed up but the secrets in the keychain remain encrypted in the backup. The keychain password is not included in the backup. Therefore, passwords and other secrets stored in the keychain on the iPhone cannot be used by someone who gains access to an iPhone backup. For this reason, it is important to use the keychain on iPhone to store passwords and other data (such as cookies) that can be used to log into secure web sites.
-- http://developer.apple.com/library/ios/#documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html#//apple_ref/doc/uid/TP30000897-CH204-TP9 [apple.com]
I'm not sure where the password is stored. I'd be curious to know if it is on the filesystem (and thus accessible when jailbroken) or if it is perhaps stored in silicon somewhere, and whether this password survives system restores.
Re: (Score:2)
I take it you've never heard of the OS-level security feature called Keychain, present on both OS X and iOS - basically, it's a way of storing data in an encrypted form, using the user's login password (or PIN) as the seed for the encryption key. Not unbreakable, but surely a hell of a lot better than plaintext.
Considering this ships as default with the OS, it's inexcusable to not use it. Morons.
Keychain in iOS has limitations, for example it's always unlocked and the user doesn't have to authentication for the apps to get their keys back out. Still I agree that apps should use the built-in key services when possible.
Also on an iPod Touch you should lock it when not it use. Otherwise if it's stolen the thief doesn't have automatic access to your bank account.
Re: (Score:1)
I thought if your iPhone was PIN-code protected it would use that to lock the Keychain, no?
Re: (Score:2)
How is this different from the Mac? I thought the initial authentication upon login opens up the Keychain?
I thought if your iPhone was PIN-code protected it would use that to lock the Keychain, no?
The details are in the links provided above.
+1 Insightful (Score:3, Interesting)
I have to deal with this BS at work all the time
"...But that password is plain text!"
"Well, the program has to read it. I can encrypt it, but then the app will just have to decrypt it, which means there will be a decryption key in plain text"
"Then encrypt the key!"
"...errr...."
etc etc.
Either you allow the user to save their login and password every time, and store it REVERSIBLY, or you don't allow it. If the decryption is reversible then it is totally irrelevant and might as well be plain text, since the "e
Re: (Score:2)
No, if you know anything about programming the decryption key does not have to be in plaintext.
Re: (Score:2)
No, if you know anything about programming the decryption key does not have to be in plaintext.
You could always XOR it and store it in the registry. (Bonus points to those getting this reference). My point is that the decryption method or key is a known quantity and only a mild impediment to getting the password.
Re: (Score:2)
Take a look at http digest authentication:
http://en.wikipedia.org/wiki/Digest_access_authentication#Advantages [wikipedia.org]
"Advantages
HTTP digest authentication is designed to be more secure than traditional digest authentication schemes; e.g., "significantly stronger than (e.g.) CRAM-MD5 ..." (RFC2617).
Some of the security strengths of HTTP digest authentication are:
* The password is not used directly in the digest, but rather HA1 = MD5(username:realm:password). This allows some implementat
Re: (Score:3, Insightful)
You've over-simplified the problem and created a false dichotomy. There are many solutions that are more secure than plain-text. It's not a binary decision. You are correct in that you can't get perfect security, but that doesn't mean you can't do better than plain-text. Perfect is the enemy of good.
First, while you cannot achieve true security through obfuscation, you can certainly improve your odds. If I steal a computer and scan cookies and documents looking for passwords, I'm more likely to find and use
Re: (Score:2)
As for your first paragraph - this is just obfuscation and no better than ROT-13. It doesn't make anything "harder", it just provides a very very false sense of security that is trivially defeated. Such things are better off NOT DONE so at least the user realizes how insecure it is to store their passwords on the device.
As for the second, Do you know how many cell phone users have their phone password protected at screen on? I would venture it is close to 0, as it is horrifically inconvenient to do so. So t
Re: (Score:2)
I'll take that bet (Let's not get ridiculous) (Score:2)
Ignoring for the moment that such a phenomenally stupid move would have not only made the article, but also surely have been the focus of the article title, it is absurd to suggest that they aren't using https, as they have been doing properly for years.
Re: (Score:1)
Part of the security for an application can be attributed to the underlying platfom. It is very difficult to write a secure application on a operating system that doesn't require a user to log-on to access all files on the system. On such a system, anybody who can access a terminal can compromise any unencrypted data from any application, and the application developer must work that much harder to secure the data. On the other hand, on an operating system that has log-in and protects files from access by un
um... sue 'em? (Score:2)
I mean, seriously, what else can you get away with today?
Re: (Score:2)
All?! [wikipedia.org]
I mean, seriously, what else can you get away with today?
I'm not suggesting that poor security is unacceptable but when is it time for individuals to take some responsibility concerning the security of your own information? It is precisely because of "chicken with their head cut off" people like you that we have this stupid SOX compliance to deal with in public corporations. SOX should have a narrow focus because ENRON was the result of bad accounting practices, not IT policies.
Re: (Score:2)
You are suggesting that poor security is acceptable.
> time for individuals to take some responsibility
Yes, but corporations need to take responsibilities, too - and be liable. Additionally, think of Joe Sixpack instead of
I'm
Re: (Score:2)
The "no liability" disclaimers from developers is BS. If you provide me a banking app, and through the normal, intended use of that app, my account is compromised, then you should be liable.
This is an Android App Security Story (Score:2)
I read this story immediately since I use one of the listed apps but it wasn't until the end that I saw that it was only the apps running on Android. Should have had the modifier "Android" in the title.
Are Apple's policies or requirements for their app store responsible for this not being an iPhone problem?
Re: (Score:2)
How is this only an Android problem? The summary clearly states it relates to both Android and iPhone apps. Should the title have a brand modifier based on the number of times said brand appears in the summary? Ridiculous.
Re: (Score:1)
Re: (Score:3, Insightful)
Apparently you can't read, since there at least two iPhone apps in the insecure list (granted, there were four Android apps in the list, and only one Android app that passed vs 4 iPhone apps).
It seems more likely that, for whatever reason, iOS financial app developers tend to be more diligent than Android financial app developers.
It's still bad for Android, but not the same kind of bad. And it certainly doesn't warrant changing the summary title given the fact that iPhone apps are insecure as well, and the
Standard Banking Client (Score:3, Insightful)
I wouldn't trust those banking apps to not rip me off or expose me, since they're made by the banks. The banks are untrustworthy.
What we need is a standard for consumer banking transactions with any bank server. Then a single client could connect to multiple banks, or to a single one even when it changes its style and services. I would install the banking client app that I trusted and preferred. One view of all my finances, including my IRA, insurance, mortgage, savings, checking, stock market, even perhaps debts owed to/from individual people. In fact I'd like such a client to keep a database of all my financial transactions, including all bills. I'd like it to keep records of every "automatic withdrawal". I'd like it to use my phone to alert me to deposits and withdrawals if I wish, including "OK/Cancel" per transaction. I'd like it to lock each payment with a one time password it generates and sends, instead of using my credit card number in the clear all the time.
Some desktop apps, like Quicken, already do some things like this. But it's time that all my finances are handled by an app I trust that doesn't come from the server that has an interest conflict with me in reporting transactions, that is simple enough without lots of "financial planning" baggage necessarily coming with it. This has been true for email and websites for decades, as well as every other successful kind of info transaction over networks for even longer. It's long past time to leave the consumer side of the banking to businesses actually in the business of serving consumers. Banks are not in that business, haven't been in a long time, and show less and less real interest or reliability in returning to it.
Re: (Score:1, Flamebait)
I've written lots of software for banks, for a good chunk of money.
While the regulators need changing to truly protect us from banks, we just took a big step backwards this week by putting Republicans back in charge of that legislation. They are busy deregulating again, though the most they'll probably get is monkeywrenching the new regulations. The reason the legislators can't be trusted is because Americans are stupid, and vote for corrupt legislators, even when that's obviously what they're getting.
Which
Re: (Score:2)
Republican Trollmod proves my point about how stupid they are.
Re: (Score:2)
Re: (Score:1)
While the regulators need changing to truly protect us from banks, we just took a big step backwards this week by putting Republicans back in charge of that legislation. They are busy deregulating again, though the most they'll probably get is monkeywrenching the new regulations.
The Democrats control the Senate and the White House. Since any legislation has to pass both houses and be signed by the President, I think your scenario is pretty unlikely to occur. ...but don't let me get in the way of an uninformed rant. Carry on.
Re: (Score:2)
I'm a rich guy who's too busy to develop that app, but smart enough to know there's demand for it.
Free clue for you, Anonymous greasemonkey Coward.
Re: (Score:1)
Big banks to have insecure apps? And you are expecting that? For me it is a shocker.
Re: (Score:2)
How long have you been banking?
Forget that: how long have you been reading the news? How could you think that banks are either trustworthy or reliable? If it weren't for the public (FDIC, FSLIC, Federal Reserve, Treasury) bailing them out every 10 years, they'd have lost more money than ever existed. It doesn't get more untrustworthy than that.
Re: (Score:1)
I wouldn't trust those banking apps to not rip me off or expose me, since they're made by the banks. The banks are untrustworthy.
Then if I were you, I would find another place to store my money. If I didn't trust my bank to make an app for me to manage my account and not rip me off [assuming I believe them to be competent developers], why the hell would I let them hold my money? Other then that, I agree with the rest of your post.
Re: (Score:2)
Because by carefully tracking my money, I stop them when they rip me off. That's why I'd like a simple, comprehensive tool to do so.
Re: (Score:2)
None of the banks actually write software themselves - certainly not any retail consumer bank. All of their software, especially something like a consumer mobile app, is written by an independent software firm, usually for hire but possibly an exclusive license of a premade app. As far as I can tell, every banking app is tied exclusively to a single bank that allows it access, which is how banks do business. I know - I've had bank customers for software of all kinds for going on 20 years, including lots of
No way! (Score:1)
Chase's iPhone app stores the username on a phone if the user chose that option,
who would have thunk?
Chase Iphone App (Score:1)
I use the Chase iphone app and am perfectly happy with its security. I did not opt to store my username on the phone and therefor my security was never in a perilous state. People who chose to store their username on the phone have a SLIGHTLY less secure system, but probably chose to do so because their password is very secure or they just don't care. I think this is more about people than systems.
Re: (Score:1, Flamebait)
Really you got your Paypal login information stolen by a sniffer App on a non-jailbroken iPhone. Where was the news story? (I am serious). Oh right there isn't one because you are not telling the truth. Either A: You jailbroke your iPhone and installed a bunch of random crap and then decided it was a good idea to use it for financial transactions too or B. You are full of shit. I vote B...
Totally biased article (Score:1, Interesting)
Meanwhile, the iPhone apps from USAA, Bank of America, Wells Fargo, and Vanguard and PayPal's Android app all passed the security tests and were found to be handling data securely.
This article is attempting to make iPhone look less problematic then Android based phones.
Examples:
- why don't they list the uneffected Android apps as they do for iPhone?
- why don't they mention that the Android paypal app is uneffected unlike how it effects the iPhone?
- why would they provide a link to "Google Android" and not "iPhone iOS" other then to highlight "Android" in bright blue along with the title of this article?
Question: where does C-net disclose its conflict of intere
Re: (Score:2)
There may not be any (seriously) . Far fewer apps exist for Android. Reporting reality != bias..
Re: (Score:3, Insightful)
I seriously question your ability to read, as the first two of your examples are refuted in your quote from the article.
You'll also have to turn in your 'geek' card for not understanding how CNet's automatic link generation works.
No mention of the one bank app I care about... (Score:1)
'droid and Iphone -- a young man's game (Score:1, Funny)
Young and foolish developers are mostly the ones who have had time to really move onto mobile platforms. Whaddya expect from whipper snappers that haven't lived through the wars?
so... (Score:2)
start issuing keyfobs and be done with it.
Write misleading headlines much? (Score:3, Interesting)
I suppose no one would have read a story titled "Minor (If we really stretch medium)" security holes found in bank apps.
Re: (Score:2)
My credit union pressured for phone transactions (Score:1)
For instance, their customer service messaging is handled through a third party, so e-mails will reference a third party URL that seemingly has nothing to do with the credit union. I've tried to explain phishing attacks to the credit union to no avail.
At the same time, their customers are pressuring them to support transactions via the phone. What a disaster. The sad part is, as a credit union me
Re: (Score:2)
fingerprint scanning is james bond shit that has nothing to do with and no place in real security.
Holes? (Score:1)
This is almost hilarious (Score:1)
How the F*CK? (Score:1)
Really, I mean come on, after 20 years of online banking, they would come back to these junior level mistakes.
Someone should lose their job for lack of competence...and I am not talking about the junior programmers!
Quality control is management level responsibility, and if you have no nunit testing tools, or diagnostics tools, you hire a firm that does, especially when dealing with banking info like this.
Thanks to the company that did the research , we nipped it in the bud, how many more problems like this