Journal BarbaraHudson's Journal: Banks still not sanitizing user input. 16
(Note - also submitted as a story since this probably affects more than a few people)
Recently I tried once again to use my bank's mobile app. I had deleted it a couple of times in the past because I could never get it to work. The bank had all sorts of excuses - "Maybe your card hasn't been activated for online banking", "You need to download the latest version", "We'll need to reset your password", "We'll issue you a new card", etc. New card, password reset both did nothing.
Turns out that entering the card number as shown on the card will never work. The card format is 9999 9999 9999 9999 (spaces between each group of 4 digits). They failed Rule 00; sanitize input.
Entering the number in that format will always fail. In this case they failed to remove spaces before testing whether the card number was valid. The android code to remove the embedded spaces is pretty generic one-liner:
String cardNo = edittext.getText().toString().replace(" ", "");
Looking at the online forums, others have had the same problem for the app's entire existence.
Having figured that out, I was immediately locked out for "too many failures to answer the security question". Of course, it never presented a security question, because the bozo who wrote the program incremented some "bad answer" counter on every login attempt, even if they never got to the point of seeing a security question. It also locks you out of using web banking on the same account..
Locking someone out of their account is now easy as pie, because it also works if the user enters their name instead of their card number. (If you have 5 John Smiths, you'll lock them all out, since access is granted based on both the user name and password matching if the account number isn't entered). Just load up an android app for the bank (I won't disclose which bank until 45 days have passed since notifying them today), enter their name and a bogus password a few times, and every John Smith is locked out. And of course, if the so-called developers are failing to do such basic input sanitation, it makes me pretty sure there are other intern-level programmer bugs are awaiting exploitation elsewhere.
Adding frustration is that they cannot do a password reset over the phone unless you have already signed up for telephone banking. Now why would anyone sign up for telephone banking when an app or the web is supposed to be more convenient? The excuse I was given is that they need it to establish my identity. So why not just text me an sms or email code that I can enter when requesting a password reset?
Lets hope other banks didn't use the same app geniuses.
not your bank's (Score:1)
Recently I tried once again to use my bank's mobile app.
"Danger" must be your middle name. I hate using my desktop for anything financially serious, and it's reasonably securable. My phone is for phun only.
And banks hardly need mobile devs on staff. Or prolly even web devs. Heck, every company I've worked at that does web apps as their actual business, has outsourced its own site!
Re: (Score:2)
Re: (Score:1)
I assumed all apps are just lame duplicates of the companies' web sites. This sounds better. Although some credentials must be sent, from the phone. And I assume phones are compromised. (Especially Androids, which aren't as updated.) As long as the web service behind the app enforces only those operations that the app should be able to do, then it's okay. But all this shit is prolly outsourced, to some place cheap. Good luck.
Re: (Score:2)
Re: (Score:2)
I assumed all apps are just lame duplicates of the companies' web sites.
I presume different banks have different ideas of what should - and should not - be allowable through online banking. The banks I have used in the past couple decades (or at least since online banking became a commonly accepted idea) have generally seemed to favor on the side of caution and kept the options limited for their online banking. This has resulted in the banking sites mostly existing to check your balance and move money between your own accounts.
I've only had one bank since I obtained an a
Re: (Score:1)
"... conservative ..., and I do agree with that philosophy." -- DR
I should make that my sig. ;)
Re: (Score:2)
It's self-perpetuating because the managers at the banks are not going to admit th
Re: (Score:2)
If you find the person's card, you can do your research online, then get into their web account after you fail the password check and use your research to answer the security question. You can then change all the contact information (phone, address, email) except the account holder name.
Also, another problem is that when you go to order new checks, your bank website is just acting as a go-between to the check printer, who stores ALL your information long after the order is delivered (in my case at least 10
Re: (Score:2)
If you find the person's card, you can do your research online, then get into their web account after you fail the password check and use your research to answer the security question. You can then change all the contact information (phone, address, email) except the account holder name.
In the case of the bank I use, only a very small amount of what you describe is possible.
If you know that "John Smith" is a customer of the bank I use (whether you find their card or not is actually irrelevant though the card would tell you they are a customer here), you could figure out their web banking user name based on knowing that the standard user name for this bank is (first initial)(lastname)(four digit birthday [sans year]). However trying to guess the password won't generally work as it will
Re: (Score:2)
Sanitize input (Score:1)
I wish Slashdot would do that when people try to send unicode down the pipe.
Locking a bunch of people out of their bank account sounds like fun, but don't most of them at least ask you to create a unique username?
Re: (Score:2)
Re: (Score:1)
Your user name is *gasp* your name on the account.
That's some lazy shit. Oh well, if can be done, have fun with it as you described until enough people get sufficiently pissed off to demand something be done to fix it. Start with the most common names... You might not want to use your own phone though.
XKCD reference unfulfilled (Score:2)
Re: (Score:2)
Not all banks (Score:2)
I don't know about the bank with my checking accounts, but it appears that the three for my credit cards are pretty well-designed, and inputs appear to be sanitized.
I have seen e-commerce sites with the problems you pointed out.