CommBank app leaks 2FA tokens says Sydney dev

Fraudster friends might finger your phone and rummage in your bank account

Sydney programmer Stuart Ryan has chipped Australia's dominant retail bank, the Commonwealth Bank, for allowing two factor authentication codes to be viewable on locked iPhones.

The bank sends authentication tokens over push notifications on iOS devices, rather than SMS for users who had activated the second factor account log in feature.

CommBank made the change in October.

Ryan said that the glitch allows the tokens to be displayed on lock screens.

"The security flaw arises as a result of the Netcode being displayed within the push notification itself," Ryan (@stuartcryan) said in a post.

"Therefore, anyone who can physically access your phone can gain access to a Netcode as it will display on the lock screen.

"This is a significant flaw as any such security codes should require the phone to be unlocked to reveal the code as is common practice."

The Commonwealth Bank has been contacted for comment.

Ryan said the bank's customer service squad said he and other concerned punters should change the push notification settings so that it would not display on lock screens.

The bank's operatives also pointed out a token would be useless to fraudsters without other bank information.

The tokens would be useful to attackers who knew and disliked their targets enough to obtain their banking credentials, passed identification checks and stole a victim's iPhone.

Attackers operating on that level could typically hose their targets without much fuss, however.

This reporter considers the issue on the security periphery, while a fix should be highly desirable for the app's next update. But it is also a plausible attack that well-organised crims stalking big game would consider. ®


Biting the hand that feeds IT © 1998–2017