Online and Mobile Banking Fusion

print
Banks simplify access to our bank accounts. They keep relaxing security while hoping to replicate the boiling frog story. The trouble is that no-one dies and someone will figure out – sooner rather than later.

Debit-cards

I touch on a few things: using online banking to find valid card numbers, and date of birth, increasing chances for unauthorised access, lowering security of login credentials and changing role of debit cards.

This post is based on my experience with a UK bank I have been banking with for a while. I believe this (r)evolution is a general trend though!

I start with online banking. When I opened my account, I had to remember a user number – 8 digit number. I also had to know my last name (ok, not so difficult) and another password. Eventually, I was able to store the first two items in my browser – and the bank actually kept suggesting that it’s the way to do it. The important thing – the user number was completely independent on my debit card.

Things started changing, the bank introduced CAP device. I could now login with an 8 digit code generated by the CAP reader & card number, instead of my password.

Identification of my account was “simplified” as I could use the user number, or debit card number or bank account number (added later).

Online banking “user-friendliness” actually leaks quite a bit of information. When I played with the logon form for a bit, I quickly realised that it was a great oracle to find out valid debit card numbers and account numbers. An easy to automate mechanism to quickly create a database of all valid debit cards issued by the bank.

My bank also created a mobile banking app. It looked good, I could see the balance and even do payments to payees I defined elsewhere. The bank didn’t seem to like its CAP devices so it added a function to the app. I could use it to login to online banking (e.g., to setup new payees).

Interestingly, I could also test twice as many authentication codes against my online banking – the first set “coming” from my debit card and the second set from my mobile app.

What took me off-guard was when the bank relaxed restrictions of its mobile app. I could suddenly setup new payees with it, i.e.,  I now don’t need online banking at all.

My thoughts?

  1. A large number of options how to get into my account. There may be a reason for all those options but I have difficulties to justify them all.
  2. Online banking “successfully” fused online, mobile and debit card worlds into one. This significantly increased internet attack surface!
  3. Your debit card has been overloaded and its (brief) loss may completely compromise your bank account.
  4. Security of my bank account is only as good as guessing a 5 digit code or the chances of a waitress not messing with my debit card at the end of a Friday dinner.

Published by

Dan Cvrcek

Founder and CEO of Enigma Bridge, engineer, entrepreneur, cryptography SME, security architect, and professor.