How Banks Make Online Banking Insecure Through Apps
1. App obligation
Online banking on the smartphone is generally not a good idea. The reason for this is not necessarily the banking apps, but the update policy of the smartphone manufacturers, the misleading advertising of the banks and the naive behavior of the customers. However, all this does not seem to bother the banks much. True to the motto:
"Digital first - Concerns second"
banking apps are made appealing to loyal customers and any risks are simply pushed aside. The fact is: with smartphone apps, banks have moved to a platform that they cannot control. Nevertheless, banking apps are promoted and security mechanisms such as two-factor authentication (2FA) are simply undermined by ill-considered decisions. In the end, online banking via app is not more secure, but exactly the opposite.
1st problem: Android update policy
Both software and hardware have weaknesses, some of which are so serious that attackers can take complete control of a system. It is therefore essential to import available (system) updates promptly in order to keep the risk for data and the digital identity as low as possible. That's the theory. In practice, the world looks very different again - especially in the Android world.
Most Android devices are usually only neglected by many manufacturers with regard to security updates, and at some point they are even completely violated. This inevitably creates a "vacuum" in the Android world that makes many or most devices vulnerable to critical security vulnerabilities. Such vulnerabilities enable attackers to gain control over the device, spy on the user or allow data to flow off unnoticed. Discovering a critical vulnerability would be enough to make millions of devices vulnerable in one fell swoop. Such serious vulnerabilities are not rare, but occur at regular intervals. In 2018 alone, 611 vulnerabilities were identified in Android - in 2017 even 842.
You can check the security patch level of your Android device yourself. Open "System" -> "Over the phone" and scroll to the security update status line.
For most devices there is a date from 2018. For newer devices you may be lucky to reach a security level of April or May 2019. But that's not enough - at least not if you want to process sensitive data on your smartphone or use online banking via apps. In July 2019, Google closed critical vulnerabilities in the Media Framework that are so serious that an attacker could remotely take control of the device.
Known vulnerabilities are closed by Google every month - the problem lies elsewhere: the (security) updates either do not arrive at all or arrive late on most devices. Against this background, it is grossly negligent to use banking apps - no matter what dazzling colors the banks display their apps in. Most Android smartphones in the wild are a walking time bomb with serious security holes.
Apple users have one advantage here: their devices are usually supplied with (security) updates by Apple for four years. If these are installed promptly, the risk is significantly lower compared to an outdated Android device.
2nd problem: Elimination of the 2FA | Misleading advertising
To claim that online banking would have been safer before the introduction of banking apps is nonsense. Online banking has never been secure or insecure per se. The decisive factor is the TAN procedure used to legitimize the online transfer. One of the most secure methods is chipTAN, in which the EC card (bank card) is inserted into an external TAN generator, which then generates a TAN that is only valid for a few minutes for the current order. In my opinion, this makes "secure" online banking possible - regardless of whether the transfer process is initiated via a banking app or on the PC at home.
In addition to the chipTAN procedure, there are other TAN procedures, some of which may no longer be used under the revised Payment Services Directive (PSD2) as of September 2019. However, online transfers via a banking app, which either itself or via an additional TAN app legitimizes the transfer - on the same device - are still permitted. This makes the principle of two-factor authentication (2FA) absurd, in which the gain in security is achieved precisely by using two separate devices (factors) because one of the two factors can basically be regarded as compromised. This dilemma should be well known to the banks and those responsible, but it is precisely this variant that is advertised.
At BBBank, the use of two apps for online banking is presented as an advantage:
"Simultaneous use of the TAN app "SecureGo" and the BBBank banking app on a smartphone or tablet possible"
The Sparkasse also apparently has no problem with customers initiating online transfers via the banking app and also legitimizing them on the same device using the TAN app:
"With our mobile banking apps, you always have your accounts under control, even when you're on the move. Using your mobile phone, you can conveniently and securely check your account transactions, transfer money or pay bills. All you need is a smartphone and the "Sparkasse" app."
The comdirect bank also allows you to transfer money via a device:
"As with online banking, mobile banking usually secures transfers with a one-time TAN. Transfers up to 25 EUR and up to 100 EUR per day are often TAN-free. There are usually various TAN procedures available for mobile transfers":
mobileTAN: If the mTAN procedure is activated, an mTAN can be requested from the banking app. This is then sent directly by SMS to the stored phone number.
photoTAN: This is an App2App solution. The prerequisite is that you install and set up a photoTAN app compatible with your banking app on your smartphone. The photoTAN app is started from the banking app for transfers. Here you can check the displayed transfer data and release the transaction. When you confirm the transfer order, the TAN from the photoTAN app is automatically transferred to your banking app.
Tip: App2App solutions are particularly uncomplicated and secure.
Here, too, the advantage of 2FA is completely eliminated. The transfer as well as the legitimation of the transfer is done by a device. However, it is interesting to note that comdirect has formulated the following duty of care (General Provisions, page 9, 7.2) in the General Terms and Conditions:
"In the mobileTAN procedure, the device with which the TANs are received (e.g. mobile phone) may not be used simultaneously for online banking."
When using photoTAN, the customer obviously does not have this duty of care - although here, too, online banking and the receipt of the TAN is carried out via a device.
The situation is probably quite similar with the other banks - at any rate, further samples from DKB, ING-DiBa, Hypovereinsbank, Deutsche Bank etc. show this. They all advertise or tolerate the online transfer via a banking app together with a TAN app on ONE device.
So let's keep in mind: Most smartphone users (Android) use devices that have an outdated security patch level and are therefore potentially vulnerable to a large number of (critical) security vulnerabilities. Instead of offering customers adequate TAN (chipTAN) procedures to address this dilemma, the uncertainty of banks is being further fuelled by the fact that the 2FA is now also being dropped under the table.
3rd problem: customer behaviour
However, it is too short-sighted to blame the banks alone. Ultimately, customers are not forced to do their banking business using a smartphone app. We are not there yet. Critical customers should think twice about whether it is a good idea to have both the banking app and the TAN app installed on the same device. The normal mortal does not write the PIN number for the EC card on the card by edding either.
For the sake of convenience, however, the number of users will probably rise sharply in the coming months and years - this will go well until fraud cases accumulate and banks no longer want to bear the liability risk. Or things will be quite different and banks will pull the ripcord in the coming months. Within the framework of the Payment Services Directive (PSD2), banks are currently revising their general terms and conditions - as a customer one can be curious as to whether banking or the legitimisation of transfers via a device will then be restricted or completely excluded. Although this backward role would be welcome, it is difficult to convey to the customer.
Enlightened users can save themselves this annoyance from the outset by either completely dispensing with online banking via smartphone or at least combining it with a TAN procedure such as chipTAN - selected banks offer this.
4. other problems
4.1 Tracking in Mobile-Banking-Apps
Banking-Apps verarbeiten sensible Informationen ihrer Kunden. In diesem Rahmen halte ich die Integration von Trackern, die das Nutzerverhalten innerhalb einer App analysieren, für vollkommen unangebracht. Leider beinhaltet fast jede Banking-App einen oder mehrere Tracker:
- ING-DiBa Banking to go (2 Tracker)
- N26 – The Mobile Bank (5 Tracker)
- comdirect mobile App (2 Tracker)
- Deutsche Bank Mobile (2 Tracker)
- DKB-Banking (1 Tracker)
- Commerzbank Banking App (2 Tracker)
- Consorsbank (3 Tracker)
- Sparkasse (2 Tracker)
- […]
Apps that process sensitive data should meet the highest standards of data protection and security. This also includes not using user tracking.
4.2 Security problems of the banking apps
The above-mentioned reasons should basically be sufficient to take a critical look at banking transactions via smartphone. In addition, however, banking apps should not only be viewed critically from the point of view of data protection, but have also made major inaccuracies with regard to security, which can be used, for example, to manipulate a transfer at will:
Online banking apps are vulnerable to hackers
The fabulous world of mobile banking (Video CCC)
Researchers discover vulnerabilities in 31 banking apps
The weaknesses are now likely to be closed, but new ones are likely to have been added. Despite these questionable circumstances, banks continue to stick to promoting their banking apps and making them appealing to their customers. The reason: many banks are probably afraid that they will lose customers if they do without convenient solutions that completely undermine security mechanisms such as 2FA. We owe this trend, which puts convenience above security, in particular to digital financial companies, so-called FinTechs (N26 and Co.).
4.3 Android: Refusal to work on rooted devices
Some apps check if the Android system is booted before starting and then deny the service. Especially banking apps have integrated such root detection mechanisms, as many banks categorize rooted Android devices as "security critical". Unfortunately, this is too short-sighted and does not do justice to the individual framework conditions.
Rather, the banks' approach is paradoxical. On the one hand, they classify rooted devices per se as a security problem, but do not check which security patch level the devices have. Strictly speaking:
"Rooted devices can be a security problem for banks or the user.
Devices that do not have current security updates installed represent a security problem for banks or the user."
The banks' approach is therefore not only short-sighted, but also inconsistent and even negligent. If a banking app were to refuse operation on Android devices that do not have up-to-date security updates installed, the apps would probably no longer run on over 95% of the devices.
5. conclusion
Let's not kid ourselves: A bank employee who claims that online banking via an app is secure is either unaware of the possible risks or lies directly to the customer's face. In order to be able to judge whether online banking via smartphone is "secure", the employee would first have to query and evaluate a whole range of factors. To be honest, he would, for example, have to inform customers with Android devices directly in a consultation that his device is rather unsuitable for processing sensitive banking transactions. However, customers should better not expect this honesty from their banks.
So what should you do? At the moment, I personally would either completely abandon online banking via smartphone or at least combine it with a TAN procedure such as chipTAN, which greatly reduces the risk of fraud.
Source: https://www.kuketz-blog.de/wie-banken-online-banking-durch-apps-unsicher-machen/