USPS issues "TSP Fund" App security warning from US Gov

Question

Level 1

0 points

USPS issues "TSP Fund" App security warning from US Gov

This warning was issued by the government about the following app.

Avoid the app

Posted 3/14/13 at 1:55 p.m.

Thrift Savings Plan (TSP) officials are urging federal employees to steer clear of a new third-party application that may be phishing for personal information about their TSP government retirement accounts.

A free iPhone app called TSP Funds, currently being offered through the Apple App store, asks TSP participants for their account login information. “This app is not being offered through the TSP and the TSP does not recommend using this application to access your TSP account,” said a TSP statement. “Providing this information could result in a security risk to your account.”

For employees who have downloaded TSP Funds, the Postal Service recommends deleting the app and changing the passwords to their TSP accounts.

The Government Executive’s app for iPhone and Android, which features a TSP ticker with up-to-date information on all TSP funds, does not ask for account information.

IPad, iPhone, iOS 4

Posted on Mar 26, 2013 7:37 AM

Reply

Answer 1

etresoft

Level 8

46,384 points

Mar 26, 2013 9:06 AM in response to Kevin11721

The government is just annoyed that sure dude wrote an app they they haven't been able to write in 4 years and in all likelihood have spent millions of dollars on. There are many apps that connect to 3rd party services and that does not mean they are fraudulent in any way. Unless. And until the government manages to release their own app, this is just sour grapes and an unfair abuse of power.

Reply

Answer 2

Mar 26, 2013 10:25 AM in response to Kevin11721

There is always a danger in supplying sensitive information like account numbers and passwords to 3rd part apps such as this.

The page for the app in the App Store does not contain any developer information or any links to a developer website. While it is probably safe I would not enter account/password information into an app like this,

And there is no real need to, you can see the value of the funds without entering your personal data.

Reply

Answer 3

Kevin11721 Author

Level 1

0 points

Mar 26, 2013 10:52 AM in response to etresoft

etresoft, go grind you axe elsewhere please.

I've been using the TPS web site for oh? 15 years now? It's always been state of the art. And it's a great program, puts private plans to shame.

I know it's rare in the private sector that, d

say a bank would bother to warn a customer about a potential security problem EVEN THOUGH THEY WOULDN'T BE LEGALLY LIABLE, just you know, because they care about people. aka "service" vs profits.

But entering your TSP password into an App would POTENTIALLY allow the company, or anyone who could hack the company's computers, or anyone who gained access to their phone to clean out a retiree's (ie. elderly technophobe) life savings.

I know, I know, that's THEIR problem. It's private industry's job, your job, to figure a way to rip them off in every way possible.

Honestly, the government, as bad as they are sometimes, has treated me better than corporations. And every problem I have with the government is rooted in the influence corporations hold over officials.

“Fascism should more appropriately be called Corporatism because it is a merger of state and corporate power”

― Benito Mussolini

Reply

Answer 4

etresoft

Level 8

46,384 points

Mar 26, 2013 11:14 AM in response to Frank Caggiano

Frank Caggiano wrote:

There is always a danger in supplying sensitive information like account numbers and passwords to 3rd part apps such as this.

That is certainly true.

The page for the app in the App Store does not contain any developer information or any links to a developer website.

That is not true. The developer's name "Steve May" is listed right there. The "App Support" button takes you to the developer's web site where he explains how the app uses the same interface as any web browser.

There is always a chance that someone has managed to slip something malicious into the App Store. I think it has even been done once or twice. I see no evidence that in this case.

I see the original poster has replied. I wonder. Does Kevin11721 have any connection to Government Executive or National Journal Group? If so, you need a disclaimer on your post so that people know you are just pushing your own app. If not, I suggest you try to access your TSP funds from the official .gov web site on an iPhone. Make sure to use a retina model phone and a high-powered magnifying glass. If you still can't see anything, maybe search for the App Store for something that makes the site usable on an iPhone. 🙂

Reply

Answer 5

Mar 26, 2013 11:30 AM in response to etresoft

The page for the app in the App Store does not contain any developer information or any links to a developer website.

That is not true. The developer's name "Steve May" is listed right there. The "App Support" button takes you to the developer's web site where he explains how the app uses the same interface as any web browser.

I don;t see an App Support button on the App Store page I'm looking at. I see the developer's name and a link to his other two apps but no web site or support links.

Anyway it really doesn't matter. As I said I would be very leery in entering personal information into an app like this.

And it appears that the OP was not asking a question about this app but posting a comment.

regards

Reply

Answer 6

etresoft

Level 8

46,384 points

Mar 26, 2013 2:04 PM in response to Frank Caggiano

Frank Caggiano wrote:

I don;t see an App Support button on the App Store page I'm looking at. I see the developer's name and a link to his other two apps but no web site or support links.

Anyway it really doesn't matter. As I said I would be very leery in entering personal information into an app like this.

And it appears that the OP was not asking a question about this app but posting a comment.

Understood. Plus, this is old news. I remember when it first came out and the developer didn't have anything on his web site for contact information. Since then, he has posted a comment defending the app and added a comment form. It looks to me like somebody who wrote an app just for himself and went ahead and submitted it for other people to use.

Now that I think about it, I actually have an app that does something similar. I think it is important to be cautious about entering personal information, but you need to draw a line somewhere. This isn't something downloaded from some random website. It has been approved by Apple. If Apple finds it to be malicious, Apple will remove it promptly. There is a chain of trust there. People download and install open source software all the time that has no such chain of trust. How do you know your privacy-enhancing proxy isn't skimming bank passwords?

Reply

Answer 7

Mar 26, 2013 2:21 PM in response to etresoft

Interesting. In the iTunes App store the page looks different

Mostly agree with your comments.

For me if an app appeared in the App Store to allow me to check my Fidelity accounts for example and it wasn;t the app from Fidelity itself, I would not enter my account credentials into it. I look at this the same way.

But as you wrote, it's all a crap shoot in the end no one really knows where any of this stuff goes or who's at the other end.

regards

Reply