Why smart users are the key to secure online banking

Taylor Armerding

But Jamie Blasco, director of AlienVault Labs, countered that the risks are not simply confined to communication with a bank. Vulnerabilities with secure transfer protocols and SSL certificate checks, "expose the user of the application to a man-in-the-middle attack," he said. "If you are using an insecure connection such an open Wi-Fi or a network that the attacker controls, a malicious actor can actually set up an attack to sniff your credentials and all the traffic that is being sent to the bank's servers."

Beyond that, "malicious actors can steal sensitive information stored on the device via other apps," he said.

Efforts by CSO to contact Sanchez through IOActive were not successful.

Whatever the app risks, experts say they could probably be fixed quickly. "I believe it's a two-week review process by Apple before a new binary is accepted to the store," Turrentine said. "With Android, you can post same day. With an agile software development, the fixes could be remediated in one Sprint."

Whitcomb is a bit less optimistic. While he agreed the fixes should be easy for "a competent development team," the fact that the problems exist in a production banking app, "means the teams producing them don't understand secure coding practices and they don't have the management infrastructure in place to ensure the security of their environment," he said.

But Turrentine said he believes online banking security continues to be more secure, through improvements like, "third-party libraries supporting jailbreak detection for example, making it easier for coding for less technical developers dealing with native code versus HTML5."

And there is general agreement that online banking security depends in significant measure on the user. Those who use public Wi-Fi to do it, for example, are asking for trouble. Also, one of the biggest risks for mobile users starts with physical security -- the loss or theft of their phone.

"I know of several people who have had their phone stolen from their hands while talking on it," Turrentine said.

In general, additional advice to users is to beware of social engineering attacks and phishing email; keep banking software updated; only use your bank's app; lock your device with a PIN code; and don't store banking information on your device.

Turrentine has some advice for app developers as well, starting with some homework on the Open Web Application Security Project (OWASP). "Refer to owasp.org for some initial insight," he said.

"Review whitepapers, presentations, videos on mobile app security from conferences posted to the web. Take some security classes that focus on secure mobile development. Read some security books on mobile apps, review third-party solutions to help increase the security posture of your app."

Previous Page  1  2  3