US banks stand
accused of being “sloppy” as they scramble to rush out updates to
fix security flaws found in Apple and Android m-banking
applications.

The accusation comes from Andrew
Hoog, chief investigative officer at viaForensic, a Chicago-based
computer and mobile security firm that discovered the problems. The
findings show that Bank of America (BofA), JPMorgan Chase, TD
Ameritrade and PayPal customers to be affected. The issues have
arisen due to a “basic lapse in security” where the apps are
storing a user’s information in the memory of a mobile handset.

“Through the course of many
investigations, we encountered a surprising and increasing amount
of highly sensitive financial and identity information on smart
phones,” said viaForensics in a summary of its appWatchdog findings
posted on its website.

“This information, uncovered on
both Apple iPhones and Google Android devices, would only benefit
cyber criminals and identity thieves. While Google and Apple each
approach the app review process differently, neither approach has
prevented insecure applications from being installed.”

viaForensics notes its findings as
follows:

• Some applications did not
  validate security certification and were vulnerable to Man in the
  middle (MITM) attacks providing full user name, password and
  account data
• Some applications saved
  passwords in clear text (ie, no encryption)
• Some applications insecurely
  saved data to the smart phone, allowing recovery of all financial
  information viewed in the application

“Specifically to security, we
believe that there are security issues in mobile apps that puts
users at risk for identity and financial theft,” said Hoog.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Electronic Payments International.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“While every application provider
we have encountered strives to provide a highly secure application,
the fast pace of development often results in applications which
are not subject to sufficient security testing. This places the
general public at significant risk. By exposing vulnerable apps in
our free public service appWatchdog, we directly empower users to
protect their identity and financial data.”

While investment management company
Vanguard Group’s m-banking apps received a clean bill of health
from viaForenics, other financial institutions and payment methods
were not so lucky.

Alternative payment method PayPal
showed failings in two out of the four categories. Zero
Day reports that viaForensics found its iPhone app failed to
securely store application data and usernames – leaving the user
exposed to hacker attacks.

BofA’s Android app failed
additional security tests in which viaForensics examined how
usernames, passwords and PINs were transferred over a wireless
network. It was found to be saving the answer to a security
question in plain text on the mobile device.

A BofA spokeswoman verified that a
flaw exists but told the Wall Street Journal (WSJ) it
poses no risk to customers.

“This information would have to be
retrieved by a sophisticated mobile expert and even then does not
itself enable entry in mobile banking,” she said.

She also told the WSJ the
bank is fixing the flaw with an update.

TD Ameritrade’s app for iPhone and
Android platforms, and JPMorgan Chase’s iPhone app, were all found
to be saving the username of an account holder in the device’s
memory.

Tom Kelly, a spokesperson for
Chase, which currently sits second on Apple’s top ten finance app
chart, told EPI: “The username is only stored on the
user’s handset at the customer’s request, and to gain access to the
account you would have to obtain the phone, password and a variety
of security measures which we do not discuss.”

A TD Ameritrade spokesperson
confirmed the security issue but told the WSJ that the
“username alone is not sufficient for account access or
manipulation of any kind”.

The same spokesperson said the next
release of its app will fix the problem and is due to be rolled out
in the next 30 days.

Last year, 12m US consumers used
m-banking services, according to financial-services research firm
Celent. This year, Celent expects the user base to soar to 18m.

“The real growth is being driven by
smartphones,” said Celent analyst Red Gillen.