In June 2012, two British banks deployed a system which enables customers to retrieve money from an ATM using their mobile phones. However, on 6 October 2012, this service was suspended because of a “planned update”. Hopefully the banks realised that the system is a security hazard.

How often do you want to retrieve money, only to realise you left your wallet at home, but remembered to take your mobile phone with you? I am with Dan Cvrcek (9 October 2012) in his remark that the application that solves this issue provides more convenience to criminals than it does to customers. In the end, I have my wallet with me more often than my smartphone.

Although an application that enables withdrawal of funds with merely displaying a code that has to be entered on an ATM takes the cake when it comes to insecurity, other banks are also making a shift to less secure and more convenient smartphone banking applications. For example, a couple of the major Dutch banks provide applications you can use to see your funds and transfer money merely secured by a numerical code and a daily limit. Clearly, a shift from more secure banking methods on personal computers to more convenient mobile applications can be seen.

Insecure Registration and Activation
On the website of the bank (NatWest), we can see a brief description of the registration process. Basically, you have to download the application, accept the terms and enter some details, such as your customer number, banking card number and personal information. If we recall that privacy infringement and identity fraud are rather common these days, it becomes clear that this is not a secure registration method.

Actually, one customer that was defrauded out of £ 950,00 did not use the application himself. This most probably means that someone else was able to register his smartphone in the name of the victim. In other words, those not wanting to use the application still have to stay on guard.

Passwords Are Inherently Insecure
Apparently, the fact that passwords are not so secure needs to be stressed over and over again (29 June 2012). The wonderful thing about banking cards is that they provide a (presumably) trusted device that can perform strong cryptographic operations. By cutting out this device in favour of a passphrase that needs to be stolen only once to become fully compromised, security is severely harmed.

Especially when it comes to the usage of ATM’s, I cannot grasp why the convenience of not having to take a debit card with you is worth the security risk. I understand the mobile banking applications that allow you to look at your funds, but this really is ridiculous.

But We Have Limited the Usage!
To be fair, the withdrawal application has a limit of £ 100,00 per transaction. It’s just a shame they forgot to implement an overall limit. In itself, this is an extreme error, although it is partially fixable by also introducing a daily limit. For example, the Dutch banking applications allow customers to set up a daily limit. When this limit has been passed, the normal security measures are required, i.e. the banking card reader needs to be used.

Nevertheless, traditional banking cards also have daily limits. For this reason, skimmers have the habit of collecting the maximum amount of cash right before and right after midnight, allowing them to still get away with a decent amount of cash. Of course, banks have reacted by making this one of the heuristics for criminal behaviour – another example would be withdrawing cash in two places in different countries within one hour. However, there have been other methods used by thieves to fool these detection mechanisms.

The GetCash Application: a Bad Idea
The ability to perform transactions on an insecure device like a smartphone secured by merely a passcode is a bad idea. Most important of all is simply the fact that passwords have always been and will always be an inferior method for uses that require high security. In the end, we did not develop banking cards because they look neat. Additionally, those applications tend to use registration and activation processes that make impersonation fairly easy. Especially when it comes to retrieving funds from ATM’s, smartphone applications provide less security for a marginal increase in convenience.

Tagged with:

Leave a Reply

Your email address will not be published. Required fields are marked *