Thursday, March 13, 2014

Using your phone as your wallet is an unbelieveably bad idea

Peter emails to ask whether this is a good idea:
How your mobile is about to replace your wallet

The days of reaching for your credit or debit card could soon be over

...

New payment systems are also appearing on mobile phones. This week, the Payments Council banking body revealed the Paym service, which will allow users to send money to their contacts using just a mobile phone number. The service will be integrated into mobile banking apps or payment apps, with nine banks and building societies signed up to the system, when it launches next month or in May.
Sweet Baby Jesus, NO!

This is such an enormously bad idea that I'm not even sure where to start. Maybe with the problem that if you lose your phone, everything on the phone ends up in someone else's hands:
It seems that Philip and Tina Sherman have an affectionate marriage. In their case, this would include Mr. Sherman taking naughty pictures of Mrs. Sherman. Nothing wrong with that if that's your bag, baby. Just don't lose the phone:
An Arkansas man on Friday filed a lawsuit against McDonald's, alleging a restaurant location uploaded nude photos of his wife onto a web site. In the suit, Phillip Sherman said he left his phone at a McDonald's location in Fayetteville, Arkansas, and that a manager promised the phone was secured for him to retrieve it. After picking up his iPhone, photos of Sherman's wife Tina Sherman made their way onto a web site -- along with her name, address and contact information, the suit claims.
Oops.
If you lose your credit card, you call the credit card company and you're covered for liability.  Is that what happens here?  Beats me.  Do you read the EULA for the apps you install or do you just click Next?

Maybe it's a lack of confidence in the security in the apps themselves:
Here chez Borepatch we simply won't do online banking, because I'm not convinced that banks have sufficient security in their online systems to stop massive fraud, or have processes in place to identify and react to it. In short, I'm quite unwilling to be a guinea pig for their new Web 2.0 e-Portal.

You shouldn't, either. The reasons include:

The Internet applications that banks are putting online are rushed into production, and therefore are probably not well tested. The Executive VP of online banking is in a hurry to "take the company 'e'", so time's a-wasting. It's hard enough to do basic functionality testing (do all the widgets work?), let alone figure out if security is well implemented. At the extreme, security isn't an afterthought; it isn't thought of at all.

The web 2.0 technologies that techies love so much (and which provide such a cool user experience) are brand new. People really don't know what the security implications of these technologies are. But everyone uses them anyway. How secure is the app? How would someone find out? How would you find out? Unfortunately, the answers are [sound of crickets chirping].

Credit card companies have been dealing with card fraud for decades. They understand how to find patterns much, much better than banks do. If you include telephone credit card ordering, the card issuers have been dealing with fraudulent orders for 30 or 40 years. Some of the most sophisticated data mining applications are in use at Visa and Master Card. Banks are new to this - if someone figures out how to transfer cash from online accounts, do they know how to identify this? Not clear at all.

It's getting worse, not better.
Replace "Web 2.0" with "iOS and Android Apps" and every word remains pertinent here.  I don't know how secure these apps are, and quite frankly I don't think that anyone does.

Maybe it's because a bunch of Android phones come with malware pre-installed at the factory:
A wide range of smartphones and tablets manufactured by Samsung, Motorola, Asus and LG Electronics have apparently been compromised with malicious apps before being sold to unsuspecting clients.

The claim has been made by David Jevans, founder and CTO of Marble Security, who discovered the problem after a potential customer complained that the company's mobile security management platform detected Netflix apps on several of its employees' devices as malicious.

As it turned out, they were malicious, and were harvesting passwords and financial information and sending it to a server in Russia. The company claimed the apps were already installed on the devices when they bought them," Jevans told Jeremy Kirk.
I don't know who is liable if you install this app on a new phone that's pre-pwn3d from the factory.  Is it the bank?  The carrier?  The factory?  Beats me, but I don't want to have to find out because it was my bank account that got cleaned out.

As you can tell from the links included here, I've been blogging about this for a very long time.  It's an enormously bad idea.  I go into a lot of detail here:
What's wrong with this picture?

Both my regular readers are probably thinking what's wrong is that we're going to get another rant about online banking. Well, yes you are, but that's not the point. Buckle up, because I'm about to roll out Borepatch's Second Law of Security.

Let's think about a brick-and-mortar bank ...
My advice is to let someone else be the guinea pig.  There's a reason that they call it the "Bleeding Edge" of technology.

8 comments:

Old NFO said...

Three words... Oh HELL no!

Thank You, Come Again said...

For the past 13 years I've worked at a small company that writes Internet Banking and Cash Management software for banks. We are not one of the "Big IBCM" vendors. Triple factor authentication, software tokens and keyfob tokens are available to help protect the customer's accounts.

The banks monitor "irregular online behavior". Even with all the tools, the end user is their own worst enemy. No malware protection on their pc. Saved login ids and passwords. Weak user id and password credentials. Taking the bait from phishing emails. Alerts sent to the user if specific activity happens on the account.

Companies using the product put convenience before security and have one person have the entire keys to the kingdom and avoid dual control.

Their thinking is that "The Bank will stop the bad guys from taking my money". Once the funds are absconded, the bank will only make it good if the bank is negligent.

BTW...I don't use mobile banking because I didn't build the phone and can't be sure what alls on it.

Thank You, Come Again said...

For the past 13 years I've worked at a small company that writes Internet Banking and Cash Management software for banks. We are not one of the "Big IBCM" vendors. Triple factor authentication, software tokens and keyfob tokens are available to help protect the customer's accounts.

The banks monitor "irregular online behavior". Even with all the tools, the end user is their own worst enemy. No malware protection on their pc. Saved login ids and passwords. Weak user id and password credentials. Taking the bait from phishing emails. Alerts sent to the user if specific activity happens on the account.

Companies using the product put convenience before security and have one person have the entire keys to the kingdom and avoid dual control.

Their thinking is that "The Bank will stop the bad guys from taking my money". Once the funds are absconded, the bank will only make it good if the bank is negligent.

BTW...I don't use mobile banking because I didn't build the phone and can't be sure what alls on it.

Unknown said...

Our apartment landlord just takes a picture of our check with his smartphone, and by that means it is deposited in his account. My wife is thrilled with this idea as an advantage in our nomadic lifestyle -- we've got homes in three states and are constantly sending checks by post to our "local" bank in some other state because the cost of a stamp is far cheaper than wire-transfer fees.
One of our banks announced a smartphone app, and my wife was very eager. She did not like my vociferous "no".
I'm toying with the idea of getting some non-android smartphone activated via MNVO and just keeping it in the safe for when we want to make a deposit. I'm thinking that Apple is probably the only practical option, but won't do it before investigating whether a windows phone might work.

Erin Palette said...

I have a similar reaction every time I see the commercial where every function of a house, including locks, is accessible via Smartphone app.

It's such a bad idea that, when I turned to my parents (both of whom are in their mid-70s) and asked, "Do you realize why this is a horrible idea?", my nearly luddite mother was able to come up with the notion that "If someone steals or hacks your phone, you lose your house."

Ken said...

The Ubuntu phones look more tempting by the day, not that I'd particularly trust those either.

Geodkyt said...

Seriously, before I started reading your mobile banking app rants, I was seriously annoyed that my cheap Android tablet wasn't from a "recognized manufacturer" and therefor couldn't download the apps from my banks from the only source -- the Google App Store.

I was looking forward to upgrading to a smartphone and finally being able to bank by app.

Now I'm glad I couldn't download those apps!

FrankC said...

This Luddite thanks Borepatch for yet another reason to stay well behind current trends.