SoylentNews is people
SoylentNews
from the slow-adoption-means-learning-from-others'-misteaks....hahahahahaha! dept.
Submitted via IRC for Bytram
Massive bank app security holes: You might want to go back to that money under the mattress tactic
A new report[$]. from a well-regarded payments consulting firm has found a lengthy list of security insanity while examining several major fintech company mobile apps. Although the very nature of apps that manage and move money would suggest presumably strong security, banks and their cohorts tend to adopt new technology slower than almost any other vertical, which puts them in a bad place when it comes to security.
My favorite finding from the Aite Group report: "Several mobile banking apps hard-coded private certificates and API keys into their apps. [Thieves] could exploit this by copying the private certificates to their computers and running any number of free password-cracking programs against them," the report noted. "Should the [attackers] successfully crack the private key, they would be able to decrypt all communication between the back-end servers and mobile devices, among other things. The API keys allow an adversary to then begin targeting the [financial institution's] API servers, gaining them access to data in the back-end databases. This allows [attackers] to authenticate the device with the back-end servers of that app, since this is what APIs use for authentication and authorization."
In other words, these banks have made the attackers' jobs far easier. "One of the directories was actually called 'API Keys,'" said Alissa Knight, the senior analyst with Aite Group's cybersecurity practice who did the research for the report. "My coffee didn't even get cold while I was on that list" trying to find vulnerabilities.
Some other especially scary points made in the Aite report:
- "Many of the apps contained hard-coded SQL statements that gave adversaries the ability to employ SQL injection attacks, such as modifying an existing SQL query or inserting a new SQL query in a man-in-the-middle attack that allows them to download all of the data in the database, delete data, or modify it."
- "Ninety-seven percent of the apps tested suffered from a lack of binary protection, making it possible to decompile the apps and review the source code. Additionally, all of the FI apps tested failed to implement application security that would have obfuscated the source code of the apps, making it possible to decompile them. This provided all of the sensitive API URLs, API keys, and API secrets hard-coded into the apps, and some of the URLs included nonstandard port numbers and development servers used by developers for testing and QA, which were reachable at the time of the testing. By decompiling the binaries, it was also possible to discover several private keys hard-coded into their files and located in subdirectories of the app, making it possible to crack the private key passwords offline."
- "Additional findings included the ability to execute client-side code in an app's WebView; raw SQL queries embedded in the source code, yielding database schema information and the ability to perform SQL injection; the creation and storage of sensitive data into temp files on the mobile device or clipboard memory; and hard-coded public and private keys. Decompiling the binary into its raw source code gives adversaries the ability to inject malware and repackage the app as a rogue/pirated app hosted in a third-party app market, such as TweakBox, Aptoide, and TutuApp, or send it to victims via smishing (SMS phishing). Decompiling the app also allows an adversary to understand how the app detects jailbroken mobile devices, which, once vulnerabilities (such as API keys, private keys, and credentials) are found in the source code, results in theft of money through banking trojans, username/password theft or account takeover using overlay screens, and the theft of confidential data."
- "About 80 percent of the apps tested implemented weak encryption algorithms or the incorrect implementation of a strong cipher, allowing adversaries to decrypt sensitive data and manipulate or steal it as needed."
- "About 70 percent of the apps use an insecure random-number generator, a security measure that relies on random values to restrict access to a sensitive resource, making the values easily guessed and hackable."
(Score: 4, Interesting) by Unixnut on Wednesday April 10 2019, @07:00AM (1 child)
> How about just not using your portable self-surveillance device to do sensitive financial stuff instead?
It would be nice, if it wasn't for the fact people are being corralled into using them. I started using my mobile banking app because banks have been shutting down physical branches like crazy (I no longer have a physical branch that is near where I live). More and more often, when you want to do something, their answer is "just use our app!". Made all the worse by the fact their app is a bloated piece of crap that only seems to get slower and more bloated and buggy with each release.
I have even explicitly gone to one of their still open branches to do something on my account, only to be told to "use the app" in person. The young cashier looked at me as if I was a loony when I said I didn't want to use their app. She could not understand why I would not want to use something so easy and convenient. Not to mention that there are now "online only" banks, that only have an app and a website, and no branches as well.
I am very close to leaving the bank due to the above, and would have done so already, if it wasn't for the fact that all their competition is doing the same thing. The draw of slashing costs by getting rid of physical locations and pesky human employees is too much to ignore for them unfortunately :-/
Actually, forced dependence on smartphones is becoming more and more common even outside of banking. Two factor auth for everything from my local government to my workplace only run on smartphones, and more and more services just direct you to "use our app" when you want to do something. It is becoming impossible to function in society without an Android or IOS device :-(
(Score: 4, Interesting) by NotSanguine on Wednesday April 10 2019, @07:22AM
I hear you.
I've managed to stay away from all that so far myself.
I do use online banking. In fact, I haven't written an actual check in at least a decade. But I do so on general purpose computing devices via the bank website.
I suggest going to a community bank or a credit union. They are generally less "fuck you!" than the big banks.
I've had folks want me to install apps, Most people have absolutely no idea just how much data those devices suck up. I've tried to explain it to my family and friends, but they don't seem to care. Now I just laugh at them.
In fact, I disable GPS (not that it stops my wireless provider from tracking me, but I do want to receive calls and texts, so I can't help that) and most applications as well. When I use apps on my phone, I force-quit them after I've done what I wanted to do.
As for your workplace, do they compensate you for forcing you to use *your* mobile device for *their* purposes?
If so, you might consider purchasing a cheap phone just for those purposes and keep it powered off unless and until you need it.
If not, you should refuse to do so unless they give you a device to use or compensate you for using your personal device (then, see above).
The most frequent thing I do, rather than use phone "apps" (which are generally just interfaces to websites), is to go to the website directly.
Is it a perfect solution? No. Is it even a particularly good one? Not really. But I will continue to limit the footprint of my life on any mobile devices as much as possible.
No, no, you're not thinking; you're just being logical. --Niels Bohr