Of all the mobile apps out there your personal banking app is likely to be the most secure, right? Wrong! A researcher recently discovered several security vulnerabilities in 40 personal banking apps from 60 of the world’s biggest banks.
The research also found that almost half of the apps tested do not validate the authenticity of the SSL Certificates being presented.
According to a recent article posted on the International Business Times, Ariel Sanchez from IOActive found that 90% of the apps contain non-SSL links.
“Home banking apps that have been adapted for mobile devices, such as smart phones and tablets, have created a significant security challenge for worldwide financial firms.”
-Ariel Sanchez, IOActive
The need for SSL Certificate Authentication
All SSL is not the same. SSL is critical when making a secured connection. But a secure connection to a bad actor does you no good. When connecting securely to exchange login credentials, payment information, or private information, it’s critical that you make a secured connection to someone you trust. Cheap SSL Certificates enable privacy, but offer no authentication that the organization on the other end is who they claim to be.
Hackers can obtain SSL Certificates, but high assurance Certificate Authorities like DigiCert only issue SSL Certificates to parties that undergo identify verification. That means that when you see a DigiCert certificate, you can be sure that the bank you’re working with is really the bank you expect it to be, not a hacker with a phishing web site.
Validated SSL Certificates, especially Extended Validation or EV SSL Certificates with the green bar provide trust when creating a connection online. Secure SSL is more than just encryption, SSL done right means online trust.
Tips to Protect Yourself Online
Sanchez recommends that affected financial institutions take the following precautions:
- Ensure that all connections are performed using secure transfer protocols
- Enforce SSL Certificate checks by the client application
- Protect sensitive data stored on the client side by encrypting it using the iOS data protection API
- Improve additional checks to detect jail broken devices
- Obfuscate the assembly code and use anti-debugging tricks to slow the progress of attackers when they try to reverse engineer the binary
- Remove all debugging statements and symbols
- Remove all development information from the production application
The next time you’re presented with a $20 Cheap SSL Certificate, remember the adage “you get what you pay for”. Authentication and trust matter, are you willing to put your organization’s reputation at risk and put customer data at risk?
Choosing the right SSL is first step in the process, followed by ensuring that connections are secured and that sensitive data stored is protected. Learn more about how SSL helps improve online reputation and keep your information safe.