
FBI warns hackers are targeting mobile banking apps - elorant
https://thehill.com/policy/cybersecurity/502148-fbi-warns-hackers-are-targeting-mobile-banking-apps
======
deepspace
> In order to combat these threats, the FBI recommended that Americans only
> download banking apps from official app stores or from banking websites.

I would like to know who these people are who would download their _banking_
apps from hax0rs.rus rather than, you know, the app store where they get all
their other apps from.

~~~
thephyber
As someone who works on developing cybersecurity products, it's incredibly
unhelpful to disdain users by assuming the worst case as in

> who would download their banking apps from hax0rs.rus

Having empathy with users that don't act perfectly skeptical 100% of the time
and who don't read all of the text (like none of us read 100% of the EULAs
every time we click the "accept terms" button/checkbox) will allow us to build
systems which are more robust to the occasional distracted user, overlooked
typo, user who doesn't know how o mentally parse a URL to identify the domain,
etc.

Also, there are plenty of people on HN that advocate for breaking down all of
the walled garden app stores, which necessarily means that users would have a
higher cognitive load of researching which domains are more trusted app
stores. It's ridiculously easy not to accidentally download an iOS app from a
3rd party app store, because they simply aren't possible without jailbreak /
install developer cert.

~~~
userbinator
_Also, there are plenty of people on HN that advocate for breaking down all of
the walled garden app stores, which necessarily means that users would have a
higher cognitive load of researching which domains are more trusted app
stores_

How about _the bank 's own website_? I trust that more than any "app store"
(which is, after all, run by a third-party) for downloading its app.

~~~
wmf
The problem there is phishing. If you trust the bank's site but you don't
realize that you aren't on the bank's site then you're screwed. Sure, this
doesn't apply to you; it only applies to 90% of humanity.

------
Alupis
I used to be quite annoyed with 2FA (although I understood the value)... and
was particularly annoyed when one of my banks made 2FA mandatory.

Begrudgingly shlupping myself to the other room to locate my phone and get a
texted code...

But, after receiving 3 different password reset emails in a short period for
different services, I decided to enable 2FA for everything that supports it.
Where possible, choosing the Time Based 2FA instead of texting codes (just in
case I lose my phone or something).

With the right mindset (and paranoia), I'm coming around to viewing this
inconvenience as necessary, and wish more services supported it.

~~~
PascLeRasc
If you have 1Password it makes software-based 2FA so easy that you'll barely
notice it's on. Though I haven't been able to find a single US bank that
supports software 2FA.

~~~
ganstyles
Does 1Pass support 2FA or otherwise handle it? I have been using 1Pass for
years, but use a different app for my MFA.

~~~
developer2
You could also look at Bitwarden. I'm not affiliated, but it's an amazing
password manager (desktop app, mobile apps, browser extensions). Even better,
it's fully open source; you can even run your own server to keep out a third-
party being your (encrypted) sync server. I've been using it for a couple of
years now, and have never had a single problem. Free for personal use of
almost everything… an upgrade to include the two-factor auth you're looking
for is a very cheap $10/year.

------
sys_64738
Banking shouldn't be done from your phone IMO. It should be done from a secure
location (your home) on a computer you can trust (not Windows). I don't get
the rationale for requiring to do bank ops so often that you need to do them
on a phone. Protect yourself.

~~~
dangus
I agree, but I would take this a step further. A lot of security breaches
happen with social engineering. So, if someone can call or text you, they
might convince you to give away your banking information or sensitive personal
details. For me that means I destroyed my smartphone and no longer speak to my
family, certainly not with an insecure operating system that I didn’t write
myself.

------
user764743
My bank recently switched to 2FA but only allows authentication via SMS when
logging in. I wish they didn't do that considering how relatively easy it is
to sim-hijack those things.

------
tedunangst
What is this virus trojan that waits until you download a legit banking app
and swaps the icon?

~~~
wmf
I see "the banking trojan then overlays the app" which isn't swapping the
icon. Overlay malware is well known on Android, e.g.
[https://securityintelligence.com/posts/new-android-
banking-t...](https://securityintelligence.com/posts/new-android-banking-
trojan-targets-spanish-portuguese-speaking-users/)
[https://github.com/geeksonsecurity/android-overlay-
malware-e...](https://github.com/geeksonsecurity/android-overlay-malware-
example)

------
kevin_thibedeau
This is why I'll never access banking data through an app or mobile browser.
All it takes is the right zero day and millions of people are compromised.
Coupled with the general crappiness of Zelle and you can kiss your money
goodbye.

~~~
ceejayoz
Desktop browsers are hardly invulnerable to zero days.

~~~
rmrfstar
Yeah, but you can keep a separate computer exclusively for finance, medical,
etc.

A Raspberry Pi 3 is like $40.

You shouldn't be doing banking on the same device you use for generic browsing
and email.

It's really strange to me that the security community isn't proselytizing
"security through compartmentalization".

~~~
kadoban
If someone can access my email, they can probably reset my password and get
the 2fa codes, no? Not sure what a separate computer would gain me if a break
in either is the end of the line.

~~~
ceejayoz
> If someone can access my email, they can probably reset my password and get
> the 2fa codes, no?

No? 2FA exists precisely to prevent that sort of attack model.

~~~
kadoban
Most banks think 2fa means they email you a code. At least the ones I've used,
I've yet to find one that implemented an actual hardware key or even totp.

