Blogs » Digital Babble » Is your banking app secure?

Subscribe


There is an app for just about anything and everything on smartphones. Banking apps are a handy tool when you are mobile and need to check on your account quickly. But how safe are they?

According to findings released today by the research firm viaForensics and the Wall Street Journal, top financial companies and banks such as Wells Fargo & Co., Bank of America Corp. and USAA are in a rush to fix security flaws in wireless banking applications that could allow others to obtain sensitive data like usernames, passwords and financial information.

The security issue is found in apps running on iPhones and Android-based devices. The apps store the user's information in the memory of a cellphone. So if someone steals or gains physical access to your phone, they can access that data. The data could also be obtained remotely if an attacker were able to lure a user into visiting a malicious website.

According to Andrew Hoog, chief investigative officer of viaForensics, a person could "trick the user with a fishing fake email or text message, sending the user to a website that would infect the device and allow the hacker to steal this data." [Source: WSJ.com]

More details from the Wall Street Journal article:

On Wells Fargo's Android application, an account holder's username and password were both stored on the phone in plain text. The app also saved sensitive information such as a user's checking, savings and other account balances.

George Tumas, chief information officer at Wells Fargo, said the bank independently identified the problem and released an updated version of its app to Google's Android Market Wednesday night.

...

Bank of America's Android application was saving the answer to a security question in plain text on a user's mobile device. The app asks the extra security question if the company's computers don't recognize the device that a user is logging on from. ViaForensics said Bank of America's iPhone app didn't have any security vulnerabilities.

A Bank of America spokeswoman verified that the flaw does exist, but said that it poses no risk to its customers. "This information would have to be retrieved by a sophisticated mobile expert, and even then, does not by itself enable entry in Mobile Banking," she said. An attacker would still need to know the user ID and password of an account holder to gain entry to their account.

Still, the spokeswoman said the bank is fixing the flaw with an update to its mobile-banking services over the next few days.

...

The iPhone app for J.P. Morgan Chase & Co., which is the second most popular free app in the iPhone's finance category, also saved the username on a phone if the account holder selected that option.

A better practice, said viaForensics' Mr. Hoog, would be to save the username with several of the characters obfuscated. A J.P. Morgan Chase spokesman declined to comment.

"It's not the end of the world," said Mr. Hoog. "But it's just sloppy. These guys should not be storing this data on a phone."