The Wall Street Journal ran a story today about security vulnerabilities in several large banks' mobile banking applications. Essentially, all but one of the banks' mobile applications tested store some user data, such as user name and password, in the clear where a phone thief could use it. The tests were conducted by computer and mobile security company viaForensics.
The iPhone and Android mobile banking apps of Wells Fargo, Bank of America and USAA were found to store user data in the phone's memory, so that anyone picking up the phone could potentially use it to access the owner's bank account; hackers could also potentially access this information (of course, with the use of phishing and sophisticated Trojans such as Carberp and Gozi, hackers could potentially access any online or mobile banking account).
This is the same issue that Citi had in July when it discovered its iPhone app was accidentally saving account information in a hidden file on users' phones. The information could also have been saved on customers' computers if they synchronized their iPhone with their computer using iTunes. The bank immediately created a fix for the problem and notified customers about the glitch and the downloadable update in a letter.
Wells Fargo, Bank of America and USAA are also acting swiftly to issue similar fixes, the article notes.
On Wells Fargo's Android application, an account holder's username and password were both stored on the phone in plain text, the article states. The app also saved sensitive information such as a user's checking, savings and other account balances. The bank identified the problem and released an updated version of the app to the Google Android Market Wednesday night.
The article quotes George Tumas, SVP and CIO for the Internet services group at Wells Fargo (and one of Bank Systems & Technology's Elite 8 for 2010) as saying, "We encourage our customers to use the new version. As far as we know, no customers were impacted." The flaw has prompted the company to consider changes in its development process, he told the Journal.
USAA's Android app didn't save usernames and passwords, but did store a mirror image of the pages a person visited on the app, which could include sensitive information such as a person's account balances, bank routing numbers and records of payments, transfers and deposits, the article states. USAA also pushed an updated version of its app to the Android Market Wednesday, according to the article.
TD Ameritrade's applications for both the iPhone and Android were found to be saving account holders' usernames in plain text on the user's mobile device. A TD Ameritrade spokesman confirmed the flaw but said that the "username alone is not sufficient for account access or manipulation of any kind." The company is fixing the problem in the next release of its app, due to be rolled out in the next 30 days, the article said.
Bank of America's Android application was found to be saving the answer to a security question in plain text on a user's mobile device. The app asks the extra security question if the company's computers don't recognize the device that a user is logging on from. A Bank of America spokeswoman verified that the flaw does exist, but said that it poses no risk to its customers. "This information would have to be retrieved by a sophisticated mobile expert, and even then, does not by itself enable entry in mobile banking," she told the Journal. An attacker would still need to know the user ID and password of an account holder to gain entry to their account. Still, the spokeswoman said the bank is fixing the flaw with an update to its mobile-banking services over the next few days.
The iPhone app for J.P. Morgan Chase also saved the username on a phone if the account holder selected that option. A better practice, according to viaForensics, would be to save the username with several of the characters obfuscated. The bank declined to comment.
The article acknowledges that banks are under pressure to pump out mobile apps quickly, which is part of the problem. "Wireless app development is a relatively new field and there is a shortage of skilled programmers," the article states. "Moreover, companies are being pushed to crank out these applications quickly, which raises the chance of flaws being introduced in the apps."