Security holes in mobile bank apps

This is not good.

A security firm disclosed holes today in mobile apps from Bank of America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a scramble by most of the companies to update the apps.

“Since Monday (11/01/2010), we have been communicating and coordinating with the financial institutions to eliminate the flaws,” research firm viaForensics wrote in a post on its site. “The findings we published reflect testing completed on 11/03/2010. Since that time, several of the institutions have released new versions and we will post updated findings shortly.”

The company had reported its findings to The Wall Street Journal earlier in the day. Yesterday, viaForensics went public with problems in PayPal‘s iPhone app, spurring the online payment provider to action.

Specifically, viaForensics concluded that: the USAA’s Android app stored copies of Web pages a user visited on the phone; TD Ameritrade’s iPhone and Android apps were storing the user name in plain text on the phone; Wells Fargo’s Android app stored user name, password, and account data in plain text on the phone; Bank of America’s Android app saves a security question (used if a user was accessing the site from an unrecognized device) in plain text on the phone; and Chase’s iPhone app stores the username on a phone if the user chose that option, according to the report.

While most of the companies scrambled to update their apps this tidbit is concerning.

Spokespeople from several of the financial institutions told the newspaper that the supposed holes, in and of themselves, would not necessarily put users at risk because other safeguards are in place and that an attacker would need to know the user ID and password in many cases to access accounts.

As pointed out by Andrew Hoog of viaForensics:

“Our appWatchdog service clearly highlights the secure aspects of the financial apps we tested. Unfortunately, in the security world (especially when you access your bank account or provide credit card numbers), providing security most of the time is simply not good enough. For mobile app providers, there are no shortcuts to protecting customers’ data. It must be engineered from the start and thoroughly tested after any change in the app or underlying OS (i.e. iPhone iOS or Google Android).” (Source: CNET News)

While technology advancement has made life easier in many respects, security can not be sacrificed.


Powered by ScribeFire.

Enhanced by Zemanta



About brvanlanen

Just a thirty-something guy currently hanging it up in the greater Green Bay area. My post-high school educational background is mainly in the Information Technology field. Specifically I have an A.A.S. in Computer Network Systems and a B.S. in Information Systems Security, both from ITT Technical Institute, in addition to A and MCDST certifications. In my free time I enjoy spending time with my family, cooking and sports. My Christian faith is also important to me as a Missouri-Synod Lutheran and all my children attend a Lutheran grade school. When it comes to political leanings I am a conservative first and foremost which you will discover rather quickly. As for sports I am a huge fan of the Green Bay Packers.

Posted on November 10, 2010, in Cybersecurity, Security, Security breach, vulnerability and tagged , , , , , , , , . Bookmark the permalink. Comments Off on Security holes in mobile bank apps.

Comments are closed.

%d bloggers like this: