CommBank app leaks 2FA tokens says Sydney dev
Fraudster friends might finger your phone and rummage in your bank account
Sydney programmer Stuart Ryan has chipped Australia's dominant retail bank, the Commonwealth Bank, for allowing two factor authentication codes to be viewable on locked iPhones.
The bank sends authentication tokens over push notifications on iOS devices, rather than SMS for users who had activated the second factor account log in feature.
CommBank made the change in October.
Ryan said that the glitch allows the tokens to be displayed on lock screens.
"Therefore, anyone who can physically access your phone can gain access to a Netcode as it will display on the lock screen.
"This is a significant flaw as any such security codes should require the phone to be unlocked to reveal the code as is common practice."
The Commonwealth Bank has been contacted for comment.
Ryan said the bank's customer service squad said he and other concerned punters should change the push notification settings so that it would not display on lock screens.
The bank's operatives also pointed out a token would be useless to fraudsters without other bank information.
The tokens would be useful to attackers who knew and disliked their targets enough to obtain their banking credentials, passed identification checks and stole a victim's iPhone.
Attackers operating on that level could typically hose their targets without much fuss, however.
This reporter considers the issue on the security periphery, while a fix should be highly desirable for the app's next update. But it is also a plausible attack that well-organised crims stalking big game would consider. ®