back to article Here's how 5 mobile banking apps put 300,000 users' digital fingerprints at risk

Massive amounts of private data – including more than 300,000 biometric digital fingerprints used by five mobile banking apps – have been put at risk of theft due to hard-coded Amazon Web Services credentials, according to security researchers. Symantec's Threat Hunter Team said it discovered 1,859 publicly available apps, …

  1. Anonymous Coward
    Anonymous Coward

    Assuming they were properly hashed

    What's the big deal ?

    1. Ali Dodd

      Re: Assuming they were properly hashed

      Still not good enough and terrible security practice. Worrying that 98% were iOS apps as users on that have a impression of greater security from the platform which is heavily eroded if a lot of developers tend undo a load of good work by being lazy.

      1. Pete 2 Silver badge

        The other 2%

        > Worrying that 98% were iOS apps

        Actually, as an Android user, I am hugely relieved to hear that.

        1. ChoHag Bronze badge

          Re: The other 2%

          That sounds like the smug fanbois at the turn of the century who were so proud of their malware-free linux and macos boxen.

          Where is your root now?

        2. EricB123 Bronze badge

          Re: The other 2%

          Only one downvote so far. Mr. Tim Cook again, I presume?

        3. General Purpose Silver badge

          Re: The other 2%

          If hard-coding in the iOS app's exposed the data of all customers, regardless of whether the customer's using iOS, Android, or a desktop browser, maybe you shouldn't be relieved.

        4. TeeCee Gold badge
          Meh

          Re: The other 2%

          I'd be more interested to know what proportion of that other 2% were straight ports of an existing app from, er, iOS?

    2. ChoHag Bronze badge

      Re: Assuming they were properly hashed

      Well as long as they don't come in the toilet while I'm using it, who cares if strangers pop in any time day and night to photograph the inside of my house? My bits aren't flapping about. What's the big deal?

    3. Mobster

      Re: Assuming they were properly hashed

      Why would they be hashed? If they were indeed hashed, then what is the point of having them in the first place? Hashed keys provide no benefit to the holder...

    4. Displacement Activity

      Re: Assuming they were properly hashed

      Well, colo[u]r me stupid, but my (limited) understanding is:

      1 - either the server expects the hashed data, in which case the hashed data is, for all intents and purposes, the password/authentication token/etc, so the hashing process was completely pointless and adds no security

      2 - or the server expects the plaintext data, but the app writer thinks that he/she is being clever by hashing the secret instead of storing it plain in the app, and unhashing before transmission. Which is pretty pointless, because the key must also be in the app, so you're adding minimal additional security by hashing.

      Note that salting is irrelevant, for 2 similar reasons, which I won't bother to repeat.

      Basically, if you need a secret to access a resource on the server, and you store that secret in your app somewhere, then you have to hope that (a) the attacker can't reverse-engineer your app, and (b) that the attacker can't break into the keychain and decode your TLS data to the server. And we all know at least one laptop manufacturer has done exactly that, and it would be pretty dumb to assume that your phone manufacturer hasn't done the same thing.

      I think. In any event, I refuse to have a mobile banking app on my phone, despite regular requests from my bank.

      1. Robert Grant Silver badge

        Re: Assuming they were properly hashed

        You can't unhash things. Otherwise agree.

  2. Anonymous Coward
    Anonymous Coward

    Surely the Best Practice for Mobile Banking Apps is ...

    ... not to use them at all.

    1. James Hughes 1

      Re: Surely the Best Practice for Mobile Banking Apps is ...

      Good luck with that. All the banks are shut around here.

    2. Ken Moorhouse Silver badge

      Re: Surely the Best Practice for Mobile Banking Apps is ...

      Just make sure that you remove the cash before disposing of the mattress.

    3. Anonymous Coward
      Anonymous Coward

      Re: Surely the Best Practice for Mobile Banking Apps is ...

      my bank has protected my account by telling me my OLD, INSECURE android handset is not worthy v. their SHINY, SECURE app so fuckoff oldman, can't get a life, grow a beard and die. So I did. Much happier now...

      1. zuckzuckgo Bronze badge
        Joke

        Re: Surely the Best Practice for Mobile Banking Apps is ...

        Sorry to hear of your passing.

  3. Dave Null

    biometric HASHES

    From the headline it reads like people's fingerprints were stolen. From reading it, what was stolen were fingerprint hashes. There will be no way to convert these back to a representation of individuals fingerprints. Bit of a clickbaity headline...

    1. Korev Silver badge
      Black Helicopters

      Re: biometric HASHES

      There's no way of converting them back, but you could easily use the purloined hashes to work out if a person is present in the dataset. You could also use the fingerprint equivalent of credential stuffing for a brute force attack...

      1. Charlie Clark Silver badge

        Re: biometric HASHES

        Not if the hashes are properly salted you can't.

      2. Vir_Floridanus

        Re: biometric HASHES

        Store now decrypt later…

    2. Kevin McMurtrie Silver badge

      Re: biometric HASHES

      They could presumably be used for bank account authentication through a modified or reverse engineered banking app.

    3. gnasher729 Silver badge

      Re: biometric HASHES

      I thought on iOS it was actually impossible for an app to get any information about your fingerprint - it can just store some code in the keychain and retrieve it if the user uses their fingerprint. No way to get the actual fingerprint.

      1. Ken Moorhouse Silver badge

        Re: I thought on iOS...

        My reading of this is that this is not to do with passwords in the keychain, it is effectively retrieving a password from a code library, in much the same way that you call a library to (say) render the properties of a button. It is just part of the underlying coding of the app.

  4. Mishak Silver badge

    Blind trust?

    I would hope that any software libraries, SDKs, etc. that are used when security is concerned are audited and not simply accepted as trusted.

    Similarly, there should be a formal development process in place that verifies that the project's security requirements are satisfied (including that "dead code" / unused code / test code is not present).

    It always surprises me that processes from the safety domain that are also of relevance to security-related projects are generally not adopted (and that "safety" and "security" are seen as being different).

    1. Mike 137 Silver badge

      Re: Blind trust?

      "I would hope that any software libraries, SDKs, etc. that are used when security is concerned are audited "

      They never are, primarily because they're taken on trust, and in any case the expertise required is not available at the point of use. It's even more problematic where libraries are accessed dynamically from remote repositories, as contamination at source can occur at any time. Both dynamic access to remote libraries and their contamination at source are on the increase, and this is the primary paradox of the web. Even as the demand for security grows with applications being applied to ever more sensitive purposes, actual security diminishes due to ever greater susceptibility to malicious action against the required resources.

      1. fidodogbreath Silver badge

        Re: Blind trust?

        in any case the expertise required is not available at the point of use

        That's a very delicate way to put it.

    2. Charlie Clark Silver badge

      Re: Blind trust?

      How are you supposed to do the auditing?

      1. Ken Moorhouse Silver badge

        Re: How are you supposed to do the auditing?

        Packet analysis would surely reveal whether it is calling "home" or elsewhere. There must be a lot of extraneous traffic being transmitted/received.

        1. Richard 12 Silver badge
          Pirate

          Re: How are you supposed to do the auditing?

          That won't tell you what's being transmitted.

          Or whether the keys used can open other boxes, which is the main problem highlighted here.

  5. Charlie Clark Silver badge

    Negligence

    Difficult not to conclude that this much of this is professional negligence and in breach of data protection regulations in many countries. It's certainly in breach of AWS' terms and conditions to hard code credentials making companies liable for any data exfiltrated.

    You must always authenticate before you authorise.

  6. VoiceOfTruth

    Imagine if this was compromised

    Bland statement from the HackedBank: our bank were the subject of a sophisticated attack whereby state-backed actors discovered our hard baked credentials. A very small number of our customers were affected. We treat our customer. data and security very seriously. Blah blah blah.

  7. the reluctant commentard

    Where did these fingerprints come from?

    Genuine question, as the article does not make this clear. As far as I know, Apple's TouchID and FaceID don't allow apps to grab fingerprints or face scans. That data always stays on the device (which is why when you switch iPhones you always have to set it up again)

    Instead, when an app requests authentication, all it will get is a "yes" or a "no" (Apparently in the case of TouchID iOS won't even tell *which* finger was presented, just that *a* valid finger was presented) but certainly not the data the scanner read.

    If this is the case, then where did that fingerprint data come from?

    I'm assuming Android works much the same.

    1. NeilPost Silver badge

      Re: Where did these fingerprints come from?

      I was thinking the very same.

      The app would gain TouchID authentication in some way, but being able to extract/copy the FingerPrint - and likely just the single digit - seems ridiculous.

      That would point the finger - pun intended - at Apple and Google.

    2. gnasher729 Silver badge

      Re: Where did these fingerprints come from?

      This is close enough. In reality, the application stores some encrypted data in the keychain and uses fingerprint or Face ID to decrypt it - of course you can just encrypt “yes” or “no”.

      And possible responses are: “Error, phone doesn’t support finger print”, “Error, phone is not currently set up for finger print”, “Error, user denied finger print”, or the decoded data.

  8. An_Old_Dog Silver badge
    Alert

    "Best Practices"

    And no company has ever used a lashed-together test system as a production system, or used the production system as a test system. Right?

  9. Tempest
    FAIL

    It's Not As If Banking Is Risky Enough Already

    A deposit sent via BANS from the Royal Courts to HSBC, where I have had an account since 1967 (that's correct, 1967).

    HSBC said nothing to me instead it opened up a new account in my name and refused to acknowledge the existence of this transfer. It was only transferred to me (as a person) after eight months during which time it ignored my communications, denied knowledge of it, etc. If it was for the assistance of persistent civil servants and a Whistle-Blower in the HSBC call centre in India**, I would be still bereft of this transfer!

    E-banking might be profitable for the banks but until they accept errors can & do occur, I suggest you check account activity regularly.

    **India is world fraud country N0.2, after Nigeria.

    1. Displacement Activity

      Re: It's Not As If Banking Is Risky Enough Already

      E-banking might be profitable for the banks but until they accept errors can & do occur, I suggest you check account activity regularly.

      And read your letters. I normally ignore mine, but I did spot one a couple of years ago from TSB. They told me I had a bank account with them, which I don't. After a lot of to-ing and fro-ing, they closed the fraudulent account, and sent me a cheque for £0.67 as compensation. Seriously. And one of the girls on the phone eventually told me that you could open a bank account with anyone's identity if you had their mobile phone A/C data (but I have no idea what that means).

      1. Alan_Peery

        Re: It's Not As If Banking Is Risky Enough Already

        "mobile phone A/C data" -> mobile phone account data probably. Telephone number, name, and address I would guess.

  10. Anonymous Coward
    Megaphone

    Name and Shame

    " Symantec's Threat Hunter Team said it discovered 1,859 publicly available apps"

    While I appreciate security researchers' efforts and I recognize that apps need to be given time to correct flaws, at some point I want to know, by name, what apps are still unsafe.

    1. Anonymous Coward
      Anonymous Coward

      Re: Name and Shame

      Probably easier to list the safe apps at this rate....

      1. Richard 12 Silver badge

        Here's the list of safe apps:

        (null)

        1. damiandixon

          Re: Here's the list of safe apps:

          LOL in spades.

        2. zuckzuckgo Bronze badge

          Re: Here's the list of safe apps:

          > (null)

          That's the name of my new app! Glad I made it on the list.

  11. greenwood-IT

    Same old same ild

    This comes down to the old issue of logging into a system as "Administrator" rather than a restricted user. We all know it's wrong, but it makes coding, testing and support soooo much easier.

    Everyone is rushing their development, and we know security & testing only ever finds problems and causes delays :-(

    Keyless cars, what a great idea - security will be in version 2.

    1. Anonymous Coward
      Anonymous Coward

      Re: Same old same ild

      "Did the car lock itself properly? I'll just go back and check..."

      beep beep clunk!

    2. Anonymous Coward
      Anonymous Coward

      Re: Same old same ild

      There are some development activities that require root/admin but the practice should not be common and you should not be doing the changes on the live system.

      So the only ones I've done recently are testing installers (in a VM), systemd services (setup via root but run as non root users), tweaking a touch screen driver for a new OS and hardware configuration. All done on test systems before migrating to production.

      I've worked in companies that locked developers machines down as though they were front office machines, it became a nightmare to get anything done.

      I'm currently leading the out-sourced development of a large package of work for a FTSE 100 company. At the company I work at we are using CI, automated analysis tools. A year in and my counterparts are still arguing with thier IT to get a CI setup with the similar tools for the target OS. To keep the project moving forward I've been supplying the OS pre-configured on the target systems for them with a complete build system .... They have taken to buying additional targets for them to do thier development off corporate network...

  12. Robert Grant Silver badge

    The root cause of this sort of thing is often having central/corporate IT run application security. In the vast majority of cases they came from IT, not dev, so they don't have the background.

    1. Nick Ryan Silver badge

      I suspect this is rather the opposite as it feels like the usual developers who only consider security as an afterthought and something that can be tacked on at a later date.

      Such developers code applications assuming administrator level access to systems and resources and as any decent developer knows, tacking security on as an after thought only ever leads to poor security.

      It's a lazy approach: security should start with "you have no access" followed by "you will be granted only the exact access you need", however a typical lazy developer will just plump for administrator level access from the outset because that means they don't have to consider access levels or security.

    2. Cliffwilliams44 Bronze badge

      In this instance that doesn't cut it. IT, Infrastructure IT in particular, is responsible for the security. DevOps IS NOT getting credentials for sensitive data even if that need it. They will authenticate their users, retrieve rotating credentials from Secrets Manager (in the case of AWS) and use those credentials to access the data. AND ONLY the data they absolutely need.

      The examples in the article are just laziness/incompetence. If you are a corporation using AWS and you don't fully understand AWS security best practices for GODS sake, ask AWS Support! They are more than happy to help you!

  13. The Dogs Meevonks Silver badge

    Banking Apps Insecure...

    Great... so now we know that some banking apps are insecure... WHICH ONES?

    Do I need to be concerned about it or not?

    The nearest bank branch to me is a 10m round trip... I'm moving in a couple of weeks, and the nearest branch of my bank is going to be more like a 25m round trip. I do kinda need to use an app and I'm using it almost daily for something or another.

    1. TimMaher Silver badge
      Pint

      Re: 10m to 25m

      So, your bank is in your back garden and now you are moving next door?

      It’s Friday. Have a pint.

      1. The Dogs Meevonks Silver badge

        Re: 10m to 25m

        I had several over the weekend... more than my 43yrs needs these days... oof, rollercoaster head when I went to bed Sat night

  14. Twanky Silver badge
    Trollface

    "In particular, developers should never reuse cloud shares meant for user data with internal corporate data, and should ensure all shares are appropriately locked down with permissions designed for the data being stored,"

    Oh Maaan! Have you any idea how long that sort of stuff takes? You have to ask the guys in the other department to set things up and it can take hours... and they get all picky about exactly what you mean... and then when you need to change it it takes hours again.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like