Critical security flaws discovered in mobile bank apps
November 5, 2010
Internet security company viaForensics has discovered many security flaws in mobile apps from Bank of America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a scramble by most of the banks to fix and patch their mobile banking applications.
"Since November 1st, we have been communicating and coordinating with the financial institutions to fix these critical security holes," research firm viaForensics wrote in a post on its site. "The findings we published reflect testing completed on Nov. 3. Since that time, several of the institutions have released new versions and we will post updated findings shortly."
Yesterday, the security firm went public with problems in PayPal's iPhone app, spurring the online payment provider to action.
Specifically, viaForensics concluded that: the USAA's Android app stores copies of Web pages a user visited on the phone; TD Ameritrade's iPhone and Android apps were storing the user name in plain text on the phone; Wells Fargo's Android app stored user name, password, and account data in plain text on the phone; Bank of America's Android app saves a security question (used if a user was accessing the site from an unrecognized device) in plain text on the phone; and Chase's iPhone app stores the username on a phone if the user chose that option, according to the report.
viaForensics says these are security issues that could have been easily prevented from the start and that repairing them won't be complicated and shouldn't take the banks more than an hour or two.
Meanwhile, the iPhone apps from USAA, Bank of America, Wells Fargo, Vanguard and PayPal's Android app all passed the security tests and were found to be handling data securely.
Wells Fargo did release an update to its Android app yesterday, USAA updated its Android app today, TD Ameritrade's apps will be fixed in the next version, and Bank of America is addressing the issue in its apps in the next few days, as a direct result of viaForensics' findings.
A Chase spokesman declined to provide us with any comment, however.
Spokespeople from several of the financial institutions said that the supposed security flaws, in and of themselves, would not necessarily put users at risk because other safeguards are in place and that an attacker would need to know the user ID and password in many cases to access accounts.
ViaForensics did not immediately return a call and e-mails seeking comment late yesterday.
Critical security holes found in banking apps, ATMs and online banking services used with a computer or laptop isn't anything new. As long as there is thieves there will always be security issues. It's up to the banks themselves to ensure that all banking transactions are performed in a very secure fashion and at all times.
The way in which the above banking apps were released in the wild is unacceptable and further creates doubt in the minds of consumers.
You can link to the Internet Security web site as much as you like.