Monday, January 19, 2009

That's a bug, not a feature

What's wrong with this picture?

Both my regular readers are probably thinking what's wrong is that we're going to get another rant about online banking. Well, yes you are, but that's not the point. Buckle up, because I'm about to roll out Borepatch's Second Law of Security.

Let's think about a brick-and-mortar bank. It will be in a building with decent security. More importantly, the security will be well understood. There are people whose business it is to know how long it will take someone to knock a hole in drywall, or cinder block, or vault steel. Or bullet-proof glass, for that matter. When you design a bank branch office, you take these things into account.

You also take area characteristics into account. Is it a good neighborhood? High traffic? Well lighted? All of these effect the security of your customers when they're not in your building. The system of the branch office is more than just the building.

So what's the system of the online mobile bank? We need to understand this to understand the risks of the different system components to get a good understanding of the overall risk.

There's the web site itself (logo blurred out here to protect the guilty). My experience is that you'll find the best security in the Defense Department. Very close behind that is security at the major banks. I have made some snide comments in the past about online banking, but the problem isn't that they don't have cutting-edge technology, or skilled operations personnel, or processes and procedures that are backed by executive management. Someone's in charge of the system - you can ask the question who's the online security guy and get an answer. While there will always be the occasional security vulnerability in the web portal, the risk here is low.

There's the Internet, that sits between you and the web site. Security is lousy here, but the encryption used to scramble your data while it flies over Al Gore's Intarwebz is so good that the risk here is basically non-existent.

There's your phone, and your phone's browser. Technology is moving very, very fast here, which means that security is an after thought. You have many different vendors - one makes the phone, a different one makes the software, and a third one that sets everything up. For me, it's some company in China who makes the phone, and Apple who makes the software (OS X and Safari), and AT&T who sets things up.

So when it comes to your phone, you are the "online security guy". You need to configure the phone securely and make sure that things are working correctly. Not your bank - after all, it's your phone, not theirs.

So what's the risk of the overall banking system? Negligible risk in the banking web site and Internet transport, but indeterminate risk in your phone.

In an engineering sense, "indeterminate" is a Bad Thing, because you can't estimate costs and risks. It's more than just Ted has a bad feeling going on here, there are serious issues that you need to know before you know if the overall online mobile banking system has unacceptable risk:
Do you have a password on your phone? Passwords aren't the be all and end all, but not having a password means that any Tom, Dick, or Harry can use your phone.

Is all the data stored on your phone encrypted? If your company gives you a phone, and there's a guy in IT who sets things up, the answer very well may be "yes". Otherwise, it's almost certainly "no". "No" means that any Tom, Dick, or Harry can get your data if they get your phone.

Does your phone's browser clear all sensitive data when you're done browsing? Does it remember passwords? Does it save cookies? Does it have some sort of optimization to make it run faster, that involves saving a bunch of data so that the next time you go to you get peppy load times?
You have some sort of chance of knowing the answers to the first two questions; you have almost no chance at all of getting an answer to the third. Even more importantly, your bank can't find out, either - the web site can ask the browser a number of interesting questions, but not about these things.

So we're back to indeterminate. This is Bad Security juju, and this is where I will point to Borepatch's Second Law of Security:
Assume that all data on your phone is public data if you ever lose your phone.
Remember Tina Sherman? She has a loving husband - so loving, in fact, that he used his camera phone to take some photos of her in the all-together. Then he lost the phone. Then Mrs. Sherman found that she was the (ahem) star of a raft of web sites.

Imagine now that instead of naughty pix of the little lady, Mr. Sherman had his banking account and password on his phone.


So if you know how the system works and think that the benefits outweight the costs, then go ahead. That, in fact, is the way that the system is supposed to work. As for me, I don't think I'm smart enough to figure out what my phone is doing.

So my recommendation to you is use an ATM, or if you absolutely must bank online, use your home computer. Just follow the 2 Simple Rules for Safer Browsing.

Your mileage may vary, void where prohibited, do not remove under penalty of law.

UPDATE 19 January 2009 21:14: Chris Byrne left a information-rich comment that is well worth your while.


Chris Byrne said...

Quite simply, you are a fool if you perform ANY banking online without end to end strong encryption.

Blackberries, and some NSA certified WinMo handsets, provide this end to end encryption. The iPhone is a bit iffy in this regard.

Theoretically, the version of safari used on the iPhne is as secure as desktop safari (or more, since it has a lot of potential holes stripped out). The weakness in the iPhone lies in it's shared memory and filespace. Apple makes a bad decision in trusting to an obscured filesystem and login security on the phone, which has an underlying core of a BSD based UNIX.

Even worse, it has privileged accounts with default passwords.

Anyone experienced in UNIX security will tell you how bad an idea this is of course.

A jailbroken iPhone is a very easy thing to compromise using basic UNIX tools; and an unjailbroken iPhone is not much better (it just means you need another UNIX machine to compromise the phone, rather than running the compromise on the phone itself).

So you have to presume that in the event of a loss of handset, any recoverable data stored on it will be recovered by a hostile party.

The question then becomes, what data is recoverable.

Apple includes privacy settings which allow you to specify no clear text recoverable data will be saved from encrypted session in the browser. However, there is the possibility of cleartext being written to memory, and to shared files.

Here's where things get really hinky.

It is a DMCA offense to discuss the obscured security of the iPhone in specific ways; because you violate the non-circumvention clause.

So no-one is allowed to actually talk about the security, or lack thereof, in the phone; except that which is publicly acknowledged, or which can be determined without circumventing security measures (no matter how ineffectual).

Further, code licenses are issued under STRICT NDA; so developers can't disclose or share holes, or fixes for them.

So it is impossible to know what exactly is happening in the phone from a security standpoint; at least without violating the law.

I should say however, this is also true of most other handsets; including blackberries and windows mobile.

So, to summarize, you would be a fool if you performed any kind of banking transaction other than perhaps checking your balance (which can generally be done in secure ways that ffer no further threat of compromise, depending on your bank) using your mobile phone.

Ted said...

Chris, thanks for the info. I'll take that as "use an ATM or your home computer" ... ;-)

The problem with the DMCA has been well hashed out in the security community (as you know). Unfortunately, it only stops the Good Guys, not the Bad Guys who simply don't care about violating license agreements (because they're crooks).

There are a lot of similarities between this and gun control laws, when you think about it.

chrisb said...

Ted you took the words out of my mouth in that last sentence. When will people learn that most laws don't actually deter criminals? They just handicap the law-abiding.