Mobile Banking Security

By Simon, 14 January, 2014

IOActive have just published a report covering the security of online banking apps for mobile devices. They found that:

  • 90% of the apps they tested had security vulnerabilities.
  • 70% of the apps offered no support at all for two-factor authentication.
    This is where a third token is used for extra security in addition to the user name and password. It could be a picture identification, a pin code, or one-time password sent via SMS (text message) to the user.
  • 40% of the apps accepted any SSL certificate for secure HTTP traffic.
    This is a major issue as it completely invalidates the chain of trust between you and your bank, and allows anyone to misdirect you to a phishing site, for example while you are using an untrusted network such as a Wi-Fi hotspot. The magnitude of this issue is that you cannot detect this happening, and there's nothing you can do to stop it.