banking apps with network vulnerabilities

[prehistoric]

Here's another installment in the discouraging history of efforts to produce apps for on-line banking that are really secure. Considering the monetary value of the transactions already taking place this should not be acceptable.

Please note that this did not address the possibility that the OS running on the device may have already been hacked, compromising the environment in which the app runs.

My own opinion is that you probably can't rid software requiring hundreds of megabytes for code storage of vulnerabilities. Applying updates also risks introducing new problems.

Apple just went through such a crisis when a new release of "High Sierra" accidentally allowed root login without a password. After a fix for that, a later patch disabled the previous fix.

It is ancient history now, but back in the 1980s I was part of a group that examined some large software projects to learn something about bugs. One discovery was that most big software systems reach statistical equilibrium within a year or two. This is where bugs appear just as fast as they are fixed.

(Anyone who has been tied to software maintenance probably recognizes the "Death March" atmosphere that sets in on the project team when equilibrium is established.)

Another surprise was that the typical bug we were finding one year after release was estimated to turn up once in 2,000 years of individual use. These problems are pretty much impossible to catch through testing anyone can afford.

Now, will someone explain to me why on-line banking from an app on your phone is a good idea?

[belham2]

Now, will someone explain to me why on-line banking from an app on your phone is a good idea?

+1

I'd like to see a response from someone who actually "rationalizes" and "defends", at present, doing full online banking from their phone providing access to ALL their accounts. (This same thing aspplies to sensitive health, insurance, personal, etc, etc data). I know quite a few people, in the security & tech industry overall, within Apple too, and not one of them do "online banking" with their phones----at any level. Not one of them trust "any" sensitive data to their phones----and these people are responsible for overall development of either the iOS and/or Android.

There's a drty-secret corollary here: at present, the more educated you are, the more wealthy you are, the less likely you are to use "online banking" with any phone (Apple, Android, or otherwise). It is a not well-kept secret hardly anyone in Silicon Valley handles ALL their online banking through their phones. They do it through setting up separate, non-linked nominal accounts for when they want to use their phone.

Thus, it is not a stretch of the imagination to say that 99.9999% (yes, 5 decimal places) of all "full" (handling their complete accounts) online banking is done by the hoi-polloi, a sort of a massive testwide guinea pig status.

Yet the hoi polloi? They've neither the knowledge and/or wealth to set up multiple accounts (non-linked, separate accounts, reducing their exposure if somethng happens) and thus seemingly blithely do all their online banking without a worry as to whether it is "safe" or not.

It must be safe! I hear this time and time again when I ask people who "bank" on their phones. They reply, that because the "big" companies wouldn't be telling us to do this IF it wasn't 'safe'....their own employees must do it....and.......so there's no problem.

Sigh...if they only knew


Eventually, phones will become just as "secure" as any other means---to not acknowledge that is to be blind. Same as with wifi vs lan. Same as with end-point network nodes versus origin-to-mid-point network nodes. Until that point, when all this approaches equilibrium, you've gotta have half-a-screw loose to trust your phone to anything sensitive you do in your life.

Do what the people who make this stuff do----be wary, use it minimially, and let the guinea pigs (say the words again: hoi polloi) keep discovering the shortfalls and problems until things are ironed out a bit more.

[prehistoric]

Meanwhile, what about a complete departure from physical banks? Here's today's news.

At current Bitcoin values this would come to about $64 million. This is dwarfed by the size of the hack that brought down Mt Gox. Multiply the 850,000 bitcoins missing from there by $15,000 and you get $12,750,000,000.

Who thought basing a currency on computer security was a good idea?