IOActive have just published a report covering the security of online banking apps for mobile devices. They found that:
- 90% of the apps they tested had security vulnerabilities of some kind.
- 70% of the apps offered no support at all for two-factor authentication.
This is where a third token is used for extra security in addition to the user name and password. It could be a picture identification, a pin code, or one-time password sent via SMS (text message) to the user.
- 40% of the apps accepted any SSL certificate for secure HTTP traffic.
This is a major issue as it completely invalidates the chain of trust between you and your bank, and allows anyone to misdirect you to a phishing site, for example while you are using an untrusted network such as a Wi-Fi hotspot. The magnitude of this issue is that you cannot detect this happening, and there's nothing you can do to stop it.
The article is tech heavy in places, but it's completely relevant. Read the whole report here: