ARN

Why smart users are the key to secure online banking

Convenience still trumps security for most people, even when it comes to protecting their own money

Online banking is not 100 per cent secure -- nothing is. That is not expected to change in 2014. But a number of security experts, along with an industry official, say it is reasonably safe, if users take reasonable precautions.

That can be a big if, of course. Convenience still trumps security for most people, even when it comes to protecting their own money. And while some risks come from vulnerabilities in banking apps, some come from problems outside the control of banks, including the carelessness or cluelessness of users themselves.

Joram Borenstein, vice-president at NICE Actimize, said while mobile banking apps tend to have, "more lightweight authentication procedures," other risks come from factors outside a bank's control, such as, "communicating via an unknown Wi-Fi signal or running on a device with a rogue application on it."

Even those who shun mobile and only bank online from their desktop, "run the high risk of being conducted via an unpatched browser or infected PC," he said.

A security official at one of the nation's largest banks, who declined to be identified, said banking from desktops and laptops is riskier than mobile, not because of the quality of the apps, but because of social engineering and phishing attacks. If users can avoid those risks, he said, online banking is, "convenient, efficient, effective and pretty secure."

Whatever the risks, millions of people are doing it, with millions more expected in the coming years. The use of mobile banking apps is still not at the level of desktop Internet banking, but that is changing. According to a survey conducted last year by Princeton Survey Research Associates International and published last August by the Pew Internet & American Life Project, 51% of U.S. adults (61% of Internet users) bank from a desktop or laptop, while 35% of mobile phone users did so.

However, the increase in desktop banking from 2010 to mid-2013 was only 5% (46% to 51%), while the increase in mobile banking nearly doubled, from 18% to 35%. That number is expected to grow to nearly 50% in the next two years.

That is obviously an expanding attack surface that cyber criminals cannot help but notice. But there is considerable disagreement over how great the danger is and who is responsible for it.

A blog post earlier this month by Ariel Sanchez, a researcher at security assessment company IOActive, suggested that the danger is great, largely due to the failure of app developers to take security seriously. He said he found significant vulnerabilities in dozens of iOS banking apps.

Sanchez ran a series of tests on 40 mobile iOS apps from 60 leading banks throughout the world, and reported that 40-90% of them lacked various features that would guard against Man-in-the-Middle (MitM) attacks, credential theft, session hijacking and memory corruption.

More specifically, he reported that 70% of the apps had no support for two-factor authentication and 40% of them accepted any SSL certificate for secure HTTP traffic.

This, according to Michael Whitcomb, president and CEO of Loricca, should be no big surprise. "Security for both (desktop and mobile) is relatively poor," he said.

Borenstein agreed, noting that, "most app developers do not focus on security when developing their app. Security requirements are typically only included to appease the App Store or Google Play guidelines."

In addition, "many of these flaws are not surprising due to the fact that the app world is racing to increase adoption -- sometimes at the risk of everything else," he said.

But that doesn't mean he thinks online banking is too risky. Borenstein cheerfully admits that he regularly does it. "Of course!" he said. "I take the necessary precautions that are offered to me by my financial institution and when new, secure mechanisms come out. I am an early adopter."

And that, said Gary McGraw, CTO of Cigital, is more significant than flaws in mobile apps. "Those flaws (in the apps) are real," he said, "but the real question is, 'does it matter?' Those looking at the app are only looking at a part of the entire ecosystem, and you have to look at the whole thing. The bank will allow various stuff to happen or not, depending on the condition of the device attaching to it, which takes into account the operating system and whether it's rooted."

McGraw points out that banks are liable for losses to individual depositors (not businesses) due to fraud, "and they're not freaking out over this (Sanchez's findings). If mobile and online banking were really such a disaster, the banks wouldn't be doing it. They're smart about money, you know."

Blake Turrentine, CSO for the online social networking dating site Zoosk, and a penetration tester for Kaiser, was even more dismissive of Sanchez's findings. "I would say that it's a biased, script-kiddie assessment, in which he glosses over or ignores security features already provided by the operating system," he said.

"Furthermore, I seriously doubt if he could write his own jailbreak by himself to get the phone to such a compromised state as a jailbroken phone."

The bank security official who read Sanchez's post also said the flaws, while real, were relatively trivial -- referring to them as "table stakes."

"Something like this, while it makes headlines, doesn't tell you what's going on behind the scenes," he said, where most banks' systems can tell if a device has connected before from a specific customer. It also flags large transactions and can usually tell by the velocity of clicks if it is a human user or malware.

But Jamie Blasco, director of AlienVault Labs, countered that the risks are not simply confined to communication with a bank. Vulnerabilities with secure transfer protocols and SSL certificate checks, "expose the user of the application to a man-in-the-middle attack," he said. "If you are using an insecure connection such an open Wi-Fi or a network that the attacker controls, a malicious actor can actually set up an attack to sniff your credentials and all the traffic that is being sent to the bank's servers."

Beyond that, "malicious actors can steal sensitive information stored on the device via other apps," he said.

Efforts by CSO to contact Sanchez through IOActive were not successful.

Whatever the app risks, experts say they could probably be fixed quickly. "I believe it's a two-week review process by Apple before a new binary is accepted to the store," Turrentine said. "With Android, you can post same day. With an agile software development, the fixes could be remediated in one Sprint."

Whitcomb is a bit less optimistic. While he agreed the fixes should be easy for "a competent development team," the fact that the problems exist in a production banking app, "means the teams producing them don't understand secure coding practices and they don't have the management infrastructure in place to ensure the security of their environment," he said.

But Turrentine said he believes online banking security continues to be more secure, through improvements like, "third-party libraries supporting jailbreak detection for example, making it easier for coding for less technical developers dealing with native code versus HTML5."

And there is general agreement that online banking security depends in significant measure on the user. Those who use public Wi-Fi to do it, for example, are asking for trouble. Also, one of the biggest risks for mobile users starts with physical security -- the loss or theft of their phone.

"I know of several people who have had their phone stolen from their hands while talking on it," Turrentine said.

In general, additional advice to users is to beware of social engineering attacks and phishing email; keep banking software updated; only use your bank's app; lock your device with a PIN code; and don't store banking information on your device.

Turrentine has some advice for app developers as well, starting with some homework on the Open Web Application Security Project (OWASP). "Refer to owasp.org for some initial insight," he said.

"Review whitepapers, presentations, videos on mobile app security from conferences posted to the web. Take some security classes that focus on secure mobile development. Read some security books on mobile apps, review third-party solutions to help increase the security posture of your app."