[Cryptography] Banking app security still sucks

Stephen Wood smwood4 at gmail.com
Mon Dec 21 17:11:35 EST 2015


re:
http://www.theregister.co.uk/2015/12/21/ssl_to_tls_migration_delayed_until_2018/

> The Payment Card Industry Security Standards Council (PCI SSC) has
decided to delay the deadline for migration from Secure Sockets Layer (SSL)
to Transport Layer Security (TLS) [...] Now the Council says it's just too
hard for retailers to make the jump.

Speaking purely of point-of-sale systems, can someone help me understand
why the payment card industry is still dealing with the problem of trusted
and untrusted networks? Hasn't this problem been largely solved by
transaction tokenization?

DNS servers are able to make zone updates across the public internet via
TSIG[0]. And if my understanding of Apple Pay is correct, the tokenization
system is agnostic to the POS transport protocol and should allow trusted
transactions even on untrusted networks[1].

I can't help but feel we are squandering the opportunity to upgrade both
the POS terminals _and_ payment card industry during the rollout of EMV POS
terminals happening right now in the US.

[0] https://www.ietf.org/rfc/rfc2845.txt
[1] https://www.apple.com/business/docs/iOS_Security_Guide.pdf pg. 35


On Mon, Dec 21, 2015 at 6:13 AM, Henry Baker <hbaker1 at pipeline.com> wrote:

> FYI -- I can't wait for the hand-wringing to begin after the next big bank
> breach...
>
> "Five of the 40 audited apps failed to validate the authenticity of the
> SSL certificates presented, which makes them susceptible to
> Man-in-The-Middle (MiTM) attacks"
>
> "30 per cent of [the apps] failed to validate incoming data"
>
> "15 per cent of the apps store unencrypted and sensitive information"
>
> "The world will therefore have to bumble along with known-to-be imperfect
> encryption for *two years* longer than planned"
>
>
> http://www.theregister.co.uk/2015/12/21/ssl_to_tls_migration_delayed_until_2018/
>
> Security industry too busy improving security to do security right
>
> PCI Council delays SSL abandonment date to 2018, so cruddy credit crypto
> continues
>
> http://www.theregister.co.uk/2015/12/18/ios_banking_app_audit/
>
> iOS banking apps security still not good enough, says researcher
>
> Repeat test throws up improved results from 2013 but problems remain
>
> 18 Dec 2015 at 15:14, John Leyden
>
> The security of mobile banking apps has improved over the last two years
> but there's still scope for improvement.
>
> Ariel Sanchez, security consultant for IOActive, has revisited research
> into the topic first conducted two years ago to see if there's been any
> improvement.
>
> Although security has increased over the two years, many apps still remain
> vulnerable.
>
> As before, the research covered 40 mobile banking apps for iOS in use
> around the world.  Sanchez confined himself to looking for client side
> security weaknesses or vulnerabilities and didn't include any server-side
> testing.
>
> His testing methodology is explained in much more detail in a blog post
> here.  iOS does not name the apps or the banks who released the apps it
> tested.
>
>
> http://blog.ioactive.com/2015/12/by-ariel-sanchez-two-years-ago-idecided.html
>
> Five of the 40 audited apps failed to validate the authenticity of the SSL
> certificates presented, which makes them susceptible to Man-in-The-Middle
> (MiTM) attacks.  And more than a third (35 per cent) of the apps contained
> non-SSL links throughout the application.  This shortcoming would allow an
> attacker to intercept traffic and inject arbitrary JavaScript/HTML code in
> an attempt to create a fake login prompt or attempt similar scams.
>
> In addition 30 per cent of them failed to validate incoming data, leaving
> them potentially vulnerable to JavaScript injections.  The results may not
> appear impressive but at least they are an improvement on results from 2013.
>
> The testing also covered binary and file system analysis.  This phase of
> the audit revealed that 15 per cent of the apps store unencrypted and
> sensitive information, such as details about customers' banking accounts
> and transaction history, in the file system via sqlite databases or other
> plaintext files.
>
> "Most of the apps have increased transport security of the data by
> properly validating SSL certificates or removing plaintext traffic,"
> Sanchez concluded.  "This helps mitigate the risk of users being exposed to
> MiTM attacks."
>
> "Although the numbers are down overall, there are still a high number of
> apps storing insecure data in their file system.  Many of them are still
> susceptible to client-side attacks," he added.
>
> Sanchez added that few of apps provide alternative authentication
> solutions, with most relying simply on username and password for
> authentication.  Only 17 of the 40 (42.5 per cent) of the apps provided
> alternative authentication solutions to mitigate the risk of leaking user
> credentials and impersonal attacks.
>
> ---
>
> http://www.theregister.co.uk/2015/12/21/ssl_to_tls_migration_delayed_until_2018/
>
> Security industry too busy improving security to do security right
>
> PCI Council delays SSL abandonment date to 2018, so cruddy credit crypto
> continues
>
> 21 Dec 2015 at 01:01, Simon Sharwood
>
> The Payment Card Industry Security Standards Council (PCI SSC) has decided
> to delay the deadline for migration from Secure Sockets Layer (SSL) to
> Transport Layer Security (TLS).
>
> Earlier this year, the Council decided the time to make the change was
> June 2016, a reasonable idea given that SSL gave the world the Poodle
> vulnerability.
>
>
> http://www.theregister.co.uk/2015/04/07/pci_revamp_ecommerce_network_security/
>
> Now the Council says it's just too hard for retailers to make the jump.
>
> The canned statement (PDF) about the moratorium, issued deep into Friday
> US time, features the Council's general manager Stephen Orfei saying
> migration was expected to be simple, "but in the field a lot of business
> issues surfaced as we continued dialog with merchants, payment processors
> and banks."
>
>
> https://www.pcisecuritystandards.org/pdfs/15_12_18_SSL_Webinar_Press_Release_FINAL_(002).pdf
>
> Orfei laid some of the blame at the feet of mobile devices, saying that
> retailers' efforts to secure transactions made on smartphones and
> fondleslabs, on top of "encryption, the SHA-1 browser upgrade and EMV in
> the US" together make for so much work that the SSL death deadline can't be
> met.
>
> "We're working very hard with representatives from every part of the
> ecosystem to make sure it happens as before the bad guys break in," Orfei
> says.
>
> The world will therefore have to bumble along with known-to-be imperfect
> encryption for two years longer than planned, a period during which The
> Register imagines "the bad guys" will do their very best take advantage of
> weak encryption.
>
> The new migration deadline will be formalised in the next version of the
> PCI DSS standard, due in April 2016.
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography




-- 
Stephen Wood
www.heystephenwood.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151221/80726005/attachment.html>


More information about the cryptography mailing list