back to article Thought mobe banking apps were safe from nasties? THINK AGAIN

Fake SSL certificates in the wild for Facebook, Google and Apple's iTunes store create a grave risk of fraud for people who bank online using their smartphones. Analysis outfit Netcraft said it has found "dozens” of fake SSL certificates impersonating banks, ecommerce sites, ISPs and social networks. The counterfeit …

COMMENTS

This topic is closed for new posts.
  1. Scott Pedigo
    Unhappy

    Consumer Rights Need To Catch Up

    Every time I personally go to my bank, I am urged to use their on-line banking system. I always politely decline. I'm not a philistine when it comes to using the Internet. I have no problem using my credit card to order from Amazon, or using PayPal to pay for some other things. With the exception that I also refuse to sign up for the "Verified by Visa" program. With my credit card, my liability is limited if there is fraudulent use. With on-line banking, the banks shove the risk of fraud onto the consumers. They claim that their multi-factor authentication systems are fool-proof. Therefore, if your account is emptied, it can only be because you didn't properly keep your password, or one-time use sheet, or whatever safe. It is up to you to prove that you weren't at fault, that the on-line banking system has a security flaw, and that is effectively impossible. I know that the chances are small that with a multi-factor authentication system my bank account could be plundered. But the chances are not zero. I won't let the bank simply wash its hands of any responsibility, so until I get the same level of consumer protection that I do with a credit card, I won't use on-line banking.

    If I do decide to ever use it, I can see how a mobile application would be at the same time very convenient, and -- being a new technology -- have new attack vectors, so I'd probably stick to using a dedicated computer.

    1. ecofeco Silver badge

      Re: Consumer Rights Need To Catch Up

      Consumer rights in the US are considered a dirty commie plot thought up by hippies and girly men.

  2. Sparkypatrick

    More security company FUD

    All sounds plausible until you see the word 'may'. This terrible thing could happen...if your bank does something really stupid. And you compound it by doing something equally stupid.

    There's no suggestion that the researchers found any evidence that any bank has ever put out a mobile app that doesn't check SSL certificate validity. That would be a real story.

    1. Scott Pedigo
      Joke

      Re: More security company FUD

      Angry Birds have to put their money somewhere, and the Piggy Bank apparently cannot be trusted with their nest eggs.

    2. sabroni Silver badge
      Facepalm

      Re: if your bank does something really stupid.

      Yeah, like that'd happen!

    3. noboard

      Re: More security company FUD

      There was a story a little while ago about several apps, including one from HSBC allowing non-signed ssl certs through. The latest versions of android won't let you pass anything over http, but you can add some code to turn this off. HSBC and others forget to take this code out so you could happily intercept the traffic.

      So they have form.

  3. monkeyfish

    Internet banking in don't do it over a public wifi connection shocker!

    Should have been the tag line.

    1. sabroni Silver badge

      Re: Internet banking in don't do it over a public wifi connection shocker!

      And how many internet banking customers are completely unaware of where their magic internets is coming from? You can't make a consumer product like an online banking app and then expect users to know when it's dodgy to use it. Well you can, but it'll end in tears.....

    2. Anonymous Coward
      Anonymous Coward

      Re: Internet banking in don't do it over a public wifi connection shocker!

      Internet banking in don't do it over a public wifi connection shocker!

      Err, no. What part of SSL tunnel is unclear to you? It makes the underlying network irrelevant. The problem is at the tail end of the tunnel, a fake cert means you're open to a Man In The Middle Attack as you're interacting with a proxy instead of directly with the real bank.

      1. Paul

        Re: Internet banking in don't do it over a public wifi connection shocker!

        it's quite a bit harder for someone to MITM your home internet connection without compromising your computer first; whereas on public wifi it's relatively easy.

  4. Version 1.0 Silver badge

    Of course your phone app is secure

    ROTFLMAO - I wouldn't trust my Bank to code its way out of a paper bag - particularly if the bag was stuffed with my money. If you read the Terms and Conditions with any of these apps then somewhere in there you'll find that you are assuming all the risk of using the app and the Bank is not liable.

    1. Fred Flintstone Gold badge

      Re: Of course your phone app is secure

      I wouldn't trust my Bank to code its way out of a paper bag

      Ah, the benefit of age - I recall a very good Usenet quote about this:

      I work for an investment bank. I have dealt with code written by stock

      exchanges. I have seen how the computer systems that store your money

      are run. If I ever make a fortune, I will store it in gold bullion

      under my bed.

      -- Matthew Crosby

      Amen to that :)

  5. Gene Cash Silver badge

    Android SSL docs are nonexistant

    I just wrote an app to control my garage door (with my Raspberry Pi) and I didn't want any skr1pt k1dd13 to be able to open it, so I figured I'd add SSL mutual authentication. I don't know anything about SSL, so I had to figure it out from scratch.

    I spent six days searching Google and Bing, and I found only *one* answer that showed how to implement mutual authentication properly, and more importantly, showed how to generate the certificates. Even this answer doesn't explain how it works, it just shows a couple blocks of code and OpenSSL commands.

    *Every* *single* *one* of the StackOverflow answers were "here's how to accept every certificate". Worse, the responses indicated the coder was going to use it without question, in production code, and without realizing that it was no security at all. They said "Great! Thanks for the wonderful answer. Now my code can connect. I'm done!"

    So I can easily see how this happens.

    1. Paul

      Re: Android SSL docs are nonexistant

      99% of security protection holes are caused by people.

      9% of people are caused by holes in protection.

  6. ecofeco Silver badge
    Unhappy

    Mine sure as hell isn't secure

    The only thing saving me from an account hack is poverty.

    Although come to think of it, the bank would charge me an overdraft fee if I were hacked.

    Bastards.

This topic is closed for new posts.