How Popular Financial Apps Are Failing Your Security

As digital financial platforms become increasingly popular, users rely on apps like Coinbase, Venmo, Cash App, and Credit Karma to manage their finances, transfer money, and access sensitive personal information. With the rise in cyber threats, one would assume these apps prioritize robust security measures to safeguard their users. However, after examining the default security configurations of these widely-used apps as of January 2025, I discovered a concerning trend: their design choices actively weaken user security.

The Problem: Weak Default Security Choices

These financial apps often promote the use of biometric authentication, such as Face ID or Touch ID, as a convenient and secure way to access their services. However, the implementation of biometric security in these apps is flawed. Specifically:

1. Mandatory In-App Passcodes:

   • To enable Face ID or Touch ID within these apps, users are required to set up an additional, app-specific passcode—usually a simple 4-digit PIN.

   • This passcode is mandatory, and users cannot enable biometric authentication without first creating it.

   • Even after biometric authentication is set up, the 4-digit PIN remains active and cannot be disabled.

2. Biometric Authentication Bypass:

   • Once Face ID or Touch ID is enabled, users might assume their account is securely locked behind the biometric layer.

   • However, if the biometric prompt is dismissed or malfunctions, the app falls back to the in-app passcode instead of the user's primary account credentials (username and password).

3. Weakness of 4-Digit PINs:

   • A 4-digit PIN offers minimal security. With only 10,000 possible combinations, such PINs are far weaker than even the default security measures offered by iOS, which now supports 6-digit or longer custom numeric or alphanumeric passcodes.

   • This creates a significant vulnerability, as it provides a relatively simple way for an attacker to gain access to the app—especially if the device is lost or stolen.

Why Is This a Problem?

The reliance on an app-specific passcode undermines the security benefits of biometric authentication. Here’s why this design choice is problematic:

1. Redundant and Arbitrary Security Layers:

   • The introduction of a mandatory in-app passcode creates an additional security layer that users must remember, manage, and protect. This is unnecessary when the primary account already has a robust username and password combination.

2. Increased Attack Surface:

   • By falling back to a simple 4-digit PIN instead of the account’s username and password, the app effectively lowers its security standards.

   • For example, an attacker who gains physical access to a device only needs to bypass a weak 4-digit PIN to access sensitive financial data.

3. User Experience vs. Security Trade-Offs:

   • While the intention behind these design choices might be to enhance user convenience, they come at the cost of reduced security.

   • Users may not realize the implications of enabling biometric authentication without understanding how the fallback mechanisms work.

A Better Approach

There’s no valid reason for these apps to require an additional in-app passcode to use biometric authentication. A more secure and user-friendly implementation would include the following changes:

1. Fallback to Primary Credentials:

   • If biometric authentication fails or is dismissed, the app should fall back to the user’s primary account credentials (username and password) rather than a weaker in-app passcode.

2. Eliminate Mandatory In-App Passcodes:

   • Allow users to enable Face ID or Touch ID without requiring a separate app-specific passcode.

   • If an app-specific passcode is deemed necessary for certain features, it should support stronger options, such as 6-digit or alphanumeric passcodes, and remain optional for users who prefer to rely solely on biometric authentication.

3. Educate Users About Security:

   • Apps should provide clear explanations of their security mechanisms, including how biometric authentication works and what happens if it fails.

   • Users should be empowered to make informed decisions about their security settings without being forced into suboptimal configurations.

4. Learn From Better Implementations:

   • The Schwab, Fidelity, Chase, and Citi apps serve as excellent examples of secure biometric implementations. These apps do not require a custom in-app PIN and correctly fall back to the service’s username/password if biometric authentication fails.

Protecting Yourself Until Change Happens

Until these apps change their defaults, users can protect themselves by taking proactive measures. For instance, iOS 18’s Lock App feature can add an extra layer of protection to these apps. Users should pair this feature with a custom-length numeric or alphanumeric iOS passcode for stronger security.

The Broader Implications

The security flaws highlighted here are not just theoretical; they have real-world implications for the safety of users’ financial and personal data. As financial apps continue to grow in popularity, they become increasingly attractive targets for attackers. By prioritizing convenience over security, these apps put their users at unnecessary risk.

Developers of financial platforms must recognize that user trust is paramount. Strong security measures are not optional; they are a fundamental requirement for any app handling sensitive financial data. It is time for these apps to revisit their security architectures and adopt practices that truly protect their users.

Final Thoughts

As users, we must remain vigilant and critical of the tools we use to manage our finances. While biometric authentication is a powerful and convenient tool, its implementation must be done correctly to deliver on its promise of enhanced security. By demanding better security practices from app developers, we can push for a safer digital ecosystem for everyone.

Update (February 13, 2025)

Venmo has now fixed this flaw within their iOS app. As of February 13, users can enable Face ID independently of the in-app passcode. If Face ID fails, the app will now prompt users to sign out instead of falling back to the weaker in-app PIN. This is a welcome improvement, and hopefully, other financial apps will follow suit to enhance security.