Banks defend integrity of passcode-less TouchID login

Royal Bank of Scotland and NatWest have played down claims by a security researcher that their new Touch ID banking login feature might be circumvented, arguing the hack would only be possible with jail-broken iPhones — the use of which is not recommended.

Last month, RBS and NatWest became the first UK-based banks to offer their customers the option to log in to mobile banking apps using Apple’s Touch ID fingerprint recognition technology.

Customers with the banks with iPhone 5S, iPhone 6 or iPhone 6 Plus smartphones will be able to access their mobile banking app within seconds using their fingers.

The approach does away with the need to remember passcodes when a customer needs access to banking facilities whilst on the move.

However, security researcher Andrew Whaley analysed the security of the feature before publishing a detailed blog post last week.

"It was very easy for me to analyse the implementation and bypass all authentication to gain access to accounts, payments and even send cash, as they're making the basic blunder of storing the passcode on the device," Whaley told El Reg

In response to queries from El Reg RBS and NatWest supplied a statement strongly disputing any suggestion that the recently introduced fingerprint login facility was insecure.

We do everything we can to make banking secure for our customers and we've tested this to make sure it was safe before launch. Other banking institutions across the world are also using this technology with their customers.

API spoofing and access to data held in the secure keychain is only possible on a jail-broken iPhone. We strongly advise customers against tampering with the security of their phone.

If our customers' phone is lost or stolen, they should contact us immediately and we can suspend service to their app.

They can also contact their mobile phone network provider who could disable service to their phone. Additionally, if they have the ‘Find my iPhone’ facility, then they can remotely wipe their iPhone via iCloud.

We review all fraud claims and refund customers in line with our obligations and our security promise.

Whaley was dissatisfied by this explanation. "They claim they do everything possible to ensure security; I would dispute this since there is no evidence of any pen testing having taken place," he explained.

"They claim that these issues are only exploitable on jail-broken devices, but a lost phone could be subsequently jail-broken; they take no measures to prevent a user installing on a jail broken device; and malware using an exploit could escape the sandbox and use these techniques to attack customers remotely," he added.

"These techniques are not limited to jail-broken phones. Any exploit leaves the app completely vulnerable to manipulation, for example Wirelurker amongst others."

"The customers themselves do not need to jail-break the phone to be exposed, a lost or stolen phone can be brute forced and then a tethered jail-break applied to permit retrieval of the passcode via my technique," he concluded.

The technology is supplied by developer Monitise. A spokesman for the firm defended the security of the technology in general while referring us towards RBS for a comment on the specifics.

"Security is of paramount importance to us," Monitise said. "TouchID can be deployed in a number of different ways. While Touch ID is functionality that we can and do implement for our clients, we can't comment on how Touch ID was installed for the RBS/NatWest app." ®