IOActive have just published a report covering the security of online banking apps for mobile devices. They found that:
- 90% of the apps they tested had security vulnerabilities.
- 70% of the apps offered no support at all for two-factor authentication.
This is where a third token is used for extra security in addition to the user name and password. It could be a picture identification, a pin code, or one-time password sent via SMS (text message) to the user.
- 40% of the apps accepted any SSL certificate for secure HTTP traffic.
This is a major issue as it completely invalidates the chain of trust between you and your bank, and allows anyone to misdirect you to a phishing site, for example while you are using an untrusted network such as a Wi-Fi hotspot. The magnitude of this issue is that you cannot detect this happening, and there's nothing you can do to stop it.