Is my mobile banking app secure?

Hi All

My apologies as this is possibly off-topic, but I wanted to ask the community their opinion.

I’ve been concerned about my banking app on my mobile for some time. The issues I have are as follows:

1. The allowable password is 6-9 characters with no special characters allowed.
2. Somehow, the user name is pre-filled by the app and so is not required to login
3. Without logging in, the user name, bar the last few characters is displayed on-screen at the top.

It seems incredible to me. I had a play with the BW password generator here:

I asked it to generate a password with the above restrictions and then repeatedly clicked on regenerate.

Typically, BW reported the crack time of a day, and occasionally 12 hours for a 9 character password. Now, call me paranoid, and you might be right, but I quite like my crack time to be centuries.

I also tried, for interest, a 6 char password, which, of course I would never use, but the crack time was pretty consistent at 2 minutes.

So in summary, you don’t need a user name and the password is forced to be weak. I’ve spoken to the bank and they are not interested. They tell me they ‘take security very seriously dah de dah…’

Have I missed something?

Cheers

Steve

Hey Steve,

The crack time given by BW password generator is for an offline attack, where there is no rate limiting. But your bank’s security probably has rate limiting and other anti-bruteforcing measures in place for online attack, so the time to crack your password would be much longer.

You can try this “quick” test to get a better idea of how long it would take to crack your password on-line. This test is what BW password strength tester is based on, but giving more information:

https://lowe.github.io/tryzxcvbn/

As you can see, even a 9-character password with no special characters would take centuries to crack on-line, with rate limiting, and years to crack without rate limiting.

If you have 2FA enabled on your bank account, or if it already has a default phone SMS 2FA policy, then your biggest security risk is probably getting malware or being phished. Unless, of course, someone can hack your bank directly, in which case, they might be able to figure out your password.

Some would say, if you are uncomfortable with your bank’s security policy, maybe it’s time to look for another, although it’s also noted that financial institutions tend to be very conservative employing newer security measures, so your next bank may not be much better.

Cheers,

Password strength testers are hit or miss, but a 9-character alphanumeric password (including upper- and lowercase letters, as well as numbers) would have an entropy of around 54 bits if randomly generated.

As noted by @Neuron5569, this is sufficient for protecting against online brute-force attacks, assuming that your bank has implemented rate-limiting and IP blocking to protect against such attacks.

If we’re considering offline attacks, that implies an attacker has already breached the bank’s servers. In that case, wouldn’t they be able to steal funds already, or is there some encryption that must be broken using a key derived from the user’s password before any damage can be done? I don’t know enough about banking technology to answer that question. If the user’s password is needed for decryption of keys, then the security depends on what method the bank has used to generate the server-side passwords hashes. If they follow OWASP’s recommendations, they would have used a slow has function capable of throttling the guessing rate to 10,000 password guesses per second per GPU. If this is the case, then a 54-bit password should be sufficiently strong to withstand an off-line brute force attack.

The same cannot be said for a 6-character password (even if randomly generated), so there are undoubtedly customers of this bank who are vulnerable.

Hi @Neuron5569
Thanks for your reply. To be honest, I have no idea if the bank employs rate limiting, but would hope they do. I can see what you’re saying about the time scales and rate limiting.

I can’t find any evidence of 2FA. You start the app, enter your password and you’re in. No SMS, no security key and no secret question. You then have full access to view/pay etc.

I did a bit of FaceBook messaging with them and they told me they do use 2FA, but couldn’t explain what it was. The only thing I can think is they take a fingerprint of my phone and compare that.
They told me they check that it’s ‘really me’ which sounds reassuring, but I have no idea how they could do that without knowing me personally and a video call. For example, if my wife had my password and logged in with my phone, would they know it wasn’t me? I don’t think so.

You can access the banking system online, through a web browser and that does use 2FA with the app. You start the login process online and it asks you to generate a code using the app. You login into the app with your password and choose the option to generate a code which looks quite like a TOTP code. I’m happy with that process.

But I can’t see any way that 2FA is employed for the app. There’s no user name, and no 2FA.

Yes I agree with the risks you have laid out. A small risk I have considered, is that the bank is hacked, passwords decrypted and appears for sale on the dark web. Then my mobile is stolen and the thief gets hold of the cracked database and they are in. Probably unlikely, but there it is, all fixed by a nice long uncrackable password.

Yes I was thinking of changing banks, but do quite like them. Their online system works well and generally the customer support is good, but I may change anyway.

Hi @grb
Yes I agree with what you are saying about the crypto keys the bank uses. Presumably they wouldn’t be dumb enough to use MD5! Anyway, I don’t know and will never know as I’m sure they wouldn’t disclose.

I’m tempted to delete the app and just use the system with a web browser as this seems much better, with a user name up to 80 characters and a password of, I think, 30 characters, but as they use the app for 2FA, you have to use it. Another option is a physical security key. I asked bout this, but it takes 10 days to post it and you can’t use your account in any digital way in that period, you have to use telephone banking, which I don’t fancy much.

Sorry to bang on hope I haven’t sent anyone to sleep lol!

Cheers

Steve

I can’t find any evidence of 2FA. You start the app, enter your password and you’re in. No SMS, no security key and no secret question. You then have full access to view/pay etc.

By any chance, do you remember when you installed the app, if you had to enter an OTP sent to your phone to activate the app? Some apps use this method to “authenticate” you. For example, I think Authy does this. If they do this, then you sort of have this security/2FA:

1. Your 9-char password + 2FA SMS for your mobile (I personally might try to totally uninstall the app and start over to see if this happens, but I’d also be afraid of losing access if the re-installation is unsuccessful)
2. Your 9-char password + 2FA mobile app for your web access

What they told you over FB does sound like a bunch of horseshit. These guys always claim they take the security seriously, but I still remember a data breach of a financial org recently that they stored the passwords in unsalted hashes.

If you still want to continue with this bank, maybe one way to mitigate the problem is to change your password often (with BW, it’s probably manageable). How often depends on how much you have in your account. If there is really a lot, I would change the bank rather than the passwords. It’s expensive being rich

Cheers,

Hi @Neuron5569

Thanks for your reply.

Sorry I don’t remember the installation process too well. I guess there was some one-time 2FA method in installation, but one-time is no good as once it’s verified, it just leaves a weak password to get round.

What they told you over FB does sound like a bunch of horseshit.

My thoughts exactly. From time to time I google ‘recent data breaches’ and am gobsmacked at how completely dumb some large organisations are, for example, storing password hints in plain text.
I have a joint account with my wife with a company called Nationwide. Their site is nationwide.co.uk. They send out emails from nationwide-communications.co.uk. There are buttons in the email with supposed links to their banking web site, their facebook page, twitter etc. Each link begins with click.nationwide-services.co.uk. Sound like a scam email? It really does. Dumb? Sure is. I did a bit of poking around and both domain names resolve to a company called saleforce.com in the USA. I guess they use them for bulk emailing. At the top of the email, is my postal code to prove ‘it’s really us’. Yup, that proves it then!

While I’d quite like to be super-rich, I’m definitely not. I just find it all so sloppy and it makes me baulk

Have a good day all…

Cheers

Steve