US banks stand
accused of being “sloppy” as they scramble to rush out updates to
fix security flaws found in Apple and Android m-banking
applications.
The accusation comes from Andrew
Hoog, chief investigative officer at viaForensic, a Chicago-based
computer and mobile security firm that discovered the problems. The
findings show that Bank of America (BofA), JPMorgan Chase, TD
Ameritrade and PayPal customers to be affected. The issues have
arisen due to a “basic lapse in security” where the apps are
storing a user’s information in the memory of a mobile handset.
“Through the course of many
investigations, we encountered a surprising and increasing amount
of highly sensitive financial and identity information on smart
phones,” said viaForensics in a summary of its appWatchdog findings
posted on its website.
“This information, uncovered on
both Apple iPhones and Google Android devices, would only benefit
cyber criminals and identity thieves. While Google and Apple each
approach the app review process differently, neither approach has
prevented insecure applications from being installed.”
viaForensics notes its findings as
follows:
- Some applications did not
validate security certification and were vulnerable to Man in the
middle (MITM) attacks providing full user name, password and
account data - Some applications saved
passwords in clear text (ie, no encryption) - Some applications insecurely
saved data to the smart phone, allowing recovery of all financial
information viewed in the application
“Specifically to security, we
believe that there are security issues in mobile apps that puts
users at risk for identity and financial theft,” said Hoog.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalData“While every application provider
we have encountered strives to provide a highly secure application,
the fast pace of development often results in applications which
are not subject to sufficient security testing. This places the
general public at significant risk. By exposing vulnerable apps in
our free public service appWatchdog, we directly empower users to
protect their identity and financial data.”
While investment management company
Vanguard Group’s m-banking apps received a clean bill of health
from viaForenics, other financial institutions and payment methods
were not so lucky.
Alternative payment method PayPal
showed failings in two out of the four categories. Zero
Day reports that viaForensics found its iPhone app failed to
securely store application data and usernames – leaving the user
exposed to hacker attacks.
BofA’s Android app failed
additional security tests in which viaForensics examined how
usernames, passwords and PINs were transferred over a wireless
network. It was found to be saving the answer to a security
question in plain text on the mobile device.
A BofA spokeswoman verified that a
flaw exists but told the Wall Street Journal (WSJ) it
poses no risk to customers.
“This information would have to be
retrieved by a sophisticated mobile expert and even then does not
itself enable entry in mobile banking,” she said.
She also told the WSJ the
bank is fixing the flaw with an update.
TD Ameritrade’s app for iPhone and
Android platforms, and JPMorgan Chase’s iPhone app, were all found
to be saving the username of an account holder in the device’s
memory.
Tom Kelly, a spokesperson for
Chase, which currently sits second on Apple’s top ten finance app
chart, told EPI: “The username is only stored on the
user’s handset at the customer’s request, and to gain access to the
account you would have to obtain the phone, password and a variety
of security measures which we do not discuss.”
A TD Ameritrade spokesperson
confirmed the security issue but told the WSJ that the
“username alone is not sufficient for account access or
manipulation of any kind”.
The same spokesperson said the next
release of its app will fix the problem and is due to be rolled out
in the next 30 days.
Last year, 12m US consumers used
m-banking services, according to financial-services research firm
Celent. This year, Celent expects the user base to soar to 18m.
“The real growth is being driven by
smartphones,” said Celent analyst Red Gillen.