Implement Zero Trust (bank logins should originate from my device)
Giovanni Francesco
My bank WellsFargo has flagged MaxRewards connecting hundreds of different accounts from the same IP address/datacenter and forced me to change my username and password 3 times so far.
I don’t want my login credentials to be stored on your servers, rather I wish my credentials to be stored and used from my iPhone directly. Zero Knowlege here means my local iPhone device should encrypt data locally and use the device itself and my own network to push/pull bank data. Similar to how bitwarden works to store my passwords
To add some more datapoints, I ran into this issue (accounts getting flagged, syncing failing, then resetting account password) with Bank of America, Citibank and Barclays.
Specifically the backend of Max Rewards that is fetching the transaction data and statement balance using the bank credentials we supply seem to have the user agent of iPhone 14 coming from an Amazon datacenter (likely using Amazon VPN). For Max Rewards users that don't use an iOS device, this will likely trigger fraud alerts at various banks.
Unless Max Rewards can figure out how to make requests from from on-device (which is very likely the same device users use to login to their bank account mobile apps and banks trust as legitimate), I'd imagine Max Rewards team will continue to play whack-a-mole with fixing syncing issues since banks will continue to flag accounts.
M
Max Bredow
I just found out about the app on Instagram, installed it - but got spooked when I saw how all cards have the same login. My alarm bells rang and I was thinking: “Is this a scam app that wants to collect my ebanking logins?”
I’ll be using the login-free feature for now. Not going to share my credentials with this app without a secure login!
Rida F'kih
Kenneth Smith, Giovanni Francesco
I hear you. First of all, let me assure you that all data on the server is encrypted, both at rest and in transit.
In addition, I will let you in on the fact that internally, the team has been discussing implementing on-device authentication, and on-device cryptographically safe keys to further encrypt credentials & user data. The idea being that without authenticated access to the device & that key, no authentication requests could possibly be made.
So far, we have developed two individual PoCs for cryptographically secure implementations that would allow for a functionality like this using AES & PBKDF2, as well another using NaCl. In addition to this, we've developed one PoC that implements on-device authentication that would effectively result in bank requests coming from your device.
I cannot yet promise these features, nor provide a timeline at the moment, but note that this is something we're exploring. If you have any more questions or suggestions, let me know.
Kenneth Smith
Rida F'kih: That would definitely make me more comfortable with the process. Thanks for letting us know it is being actively explored.
Rida F'kih I'd love to see support for bank credentials to stored on device in secure enclave or the equivalent, but I understand likely there might be limitations for supporting users on older devices that do not have secure enclave equivalents.
Did the team determine what's the best course of action regarding this?
M
Morgan Bowling
I'm sorry to hear that you had trouble with Wells Fargo. We've since made improvements to our connection with Wells Fargo, and you should now be able to sync with them without any issues.
Data security is a big priority for us, and we use bank-level encryption, which follow industry practices around bank connections. We also will never sell or misuse your data, as that goes against our core values.
We’re actively working towards becoming compliant with major information security & risk management frameworks and eventually becoming certified.
If you have any questions, feel free to email me at support@maxrewards.com.
Kenneth Smith
Morgan Bowling:I would like to see some part of the encryption of user credentials reside on the phone or be requested in the app every time a sync occurs. Something like a 'salt' that is required in addition to the encrypted part of the credentials that reside on your servers.
Bill Barnum
I have this trouble with American Express.
Giovanni Francesco
Bill Barnum: yeah I have been unable to use WF with maxrewards ever since… Maxrewards team says to delete bank, log out, log back in on the app then re-add. It says it’s able to login to WF yet no cards are seen.
WF must have blocked them for good. I am not sure why privacy isn’t important to the MaxRewards team. I also contacted them about their app always requesting my location when I open the app regardless of being on a page that doesn’t need location. Not sure if they are selling my data…
Rida F'kih
Giovanni Francesco Has WF been working for you? It should have been back up for some time now, there were some changes that resulted in an outage around the time this was posted.
As for the location prompt, no we do not sell user data, I can see about adding an effort to refine the location services prompt to be less intrusive.
Giovanni Francesco
Rida F'kih: WellsFargo seems to be working but Citibank flagged my account for compromised credentials and forced me to change username and passwords.
I sent support a note about it but it wasn't super helpful, basically it said engineers are working on it and that was that for Citibank which I still have issues (haven't gotten around to try again this week).