Mobile apps that take on the work of online banks need also take on the responsibility of security. This could be seen in the recent Slate article detailing the hack of a web developer’s account with Venmo, a mobile app that lets you send free and instantaneous payments to anyone using bank account or debit card number.
The web developer was notified by his bank of a pending transaction on his debit card for nearly $3,000 via his Venmo account. He tried to log into his Venmo account to investigate, but his password had been changed. When he used the reset option to log in, he found that someone had changed his email address to a different one, and had sent money to a user he didn’t recognize.
Venmo was lacking in some basic security requirements, such as notifications whenever your account’s email address or password is changed. They also did not offer two-factor authentication for securing their users’ account logins.
After about a month of rising concerns about their security, Venmo released a blog stating that they would put more safeguards in place in order to secure their users’ transactions and accounts, including:
– Notifications and email verifications whenever the primary account email or phone number is changed
– Notification whenever your password is changed
– Multifactor authentication and other product features to enhance user security and experience (future)
Similar criticisms from the security industry plagued Apple after the celebrity iCloud hacks last year. As a result, Apple implemented several basic security features, including:
– Push notification alerts whenever someone tries to change iCloud passwords
– Upload backed-up account data to a new device
– Logs into their account for the first time from an unknown device
In addition to what they call “two-step” verification to protect iCloud account logins (opt-in).
Users can set up two-factor authentication on their iCloud accounts, sending a four-digit code to your phone via the Find My iPhone app or SMS. Any mobile or cloud login that allows access to private data or conducts monetary transactions should be protected by these basic security standards, at the very least.
Hopefully, when Venmo rolls out their multifactor authentication solution, they’ll offer a real two-factor solution, unlike Intuit’s solution for TurboTax. Intuit’s multi-factor solution requires a user to log in with their primary username and password, then complete secondary authentication by submitting a passcode sent to an email address associated with the account.
However, this seemingly rushed solution (in time to save them for this year’s tax season, I’m sure) has some obvious flaws – if users reused their TurboTax credentials as their email login, online criminals could log into both accounts and easily bypass both primary and secondary authentication. This particular type of multi-factor authentication solution is also prey to a man-in-the-browser (MiTB) attack, in which attackers can bypass one-time passcode (OTP) two-factor solutions in a variety of ways.
This type of solution carries out your second factor of authentication over the same channel as your first (via the Internet). A more secure method of authentication would involve more than one channel – for example, for a web application like TurboTax, using the Internet for primary auth and push notifications via a mobile app for secondary auth requires the use of a physical device to verify the auth request.
An article from TheVerge.com argues that Venmo’s lack of two-factor authentication is barely “a unique vulnerability,” citing a number of banks that don’t offer the security service. The article also points out that typing in four digits for security ruins the app’s convenience.
But if security was as easy as tapping one button on a push notification, that may change the user’s experience from a security and usability perspective. Learn more about different two-factor solutions in our Two-Factor Authentication Evaluation Guide.
To learn more about the Two-Factor Authentication Evaluation Guide, please read the rest of this article on Duo Security’s blog here.
Free eBook: Two-Factor Authentication Evaluation Guide – Get your copy now.
By Thu Pham, Information Security Journalist, Duo Security | @Thu_Duo
Bio: Thu Pham covers current events in the tech industry with a focus on information security. Prior to joining Duo, Thu covered security and compliance for the infrastructure as a service (IaaS) industry at Online Tech. Based in Ann Arbor, Michigan, she earned her BS in Journalism from Central Michigan University.
About Duo Security
Duo Security is on a mission to provide advanced security solutions for organizations of all sizes. Duo’s innovative technology protects users, data and applications from credential theft and breaches with a focus on streamlined usability. The company was co-founded by CEO Dug Song, a major contributor to the security community, and CTO Jon Oberheide, expert cloud, mobile, and malware security researcher.