Are your mobile banking apps safe?

IMHO, I don't think FNB's Internet Banking is as secure as it should be. As most FNB Internet
banking users know, certain functionality is now accessible without the use of a OTP.

The only problem I have with this, is that you're able to buy Lotto Tickets without a OTP.
So if someone steals your password, and realizes they can't get away with anything, they
can still be malicious and clear out your account by purchasing Lotto Tickets.

Now if you win the Lotto, no harm done. :D, but I still think it's a bit of a security loophole. :(
 
Obscure company publishes a bit questioning the security of Mobile banking apps without naming names...I'll have my 2 pinches of salt now
 
Totempole said:
...The only problem I have with this, is that you're able to buy Lotto Tickets without a OTP.
So if someone steals your password, and realizes they can't get away with anything, they
can still be malicious and clear out your account by purchasing Lotto Tickets.

Now if you win the Lotto, no harm done. :D, but I still think it's a bit of a security loophole. :(
Click to expand...


LOL.

Nice one!
 
Mobile apps are able to perform client side encryption before sending data over the network, even though SSL connections are a secure connection between client and server, this is still an added level of security.. if they aren't performing client side encryption I don't see how it's any more secure than HTTPS.

The fact that FNB's app needs to be authorised before the phone can be used for banking makes it quite secure, you can just de-authorise the phone if it gets stolen; let's not forget they need your password to use the app as well if your phone is stolen... if they steal your phone without an app they can get your OTP's but then they also need to know your username and password for internet banking.

Most security breaches are because of carelessness on the users behalf if you ask me - though this is trusting that the banks have developers who have a clue.. and more than just one doing it all by themselves (including testing)
 
From what I recall USSD is clear text sent over the network - so it is not encrypted at all.
 
Rouxenator said:
From what I recall USSD is clear text sent over the network - so it is not encrypted at all.
Click to expand...

USSD uses the SDCCH channel on GSM which uses GSM-A5 encryption over the air - the same encryption that is used for SMS and voice. While it's not a particularly strong encryption, the way the banks have implemented its use is very clever and circumvents most of its weaknesses.

Like somebody else said, the issue will not be the level of encryption, but rather how the users use it. Like all security, it's more of a social issue than a technological one.

--deckert
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X