Jump to content
ritchie58

Security Holes In Mobile Bank Apps Discovered

Recommended Posts

A security firm disclosed holes today in mobile apps from Bank of America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a scramble by most of the companies to update the apps.

 

"Since Monday (11/01/2010), we have been communicating and coordinating with the financial institutions to eliminate the flaws," research firm viaForensics wrote in a post on its site. "The findings we published reflect testing completed on 11/03/2010. Since that time, several of the institutions have released new versions and we will post updated findings shortly."

 

The company had reported its findings to The Wall Street Journal earlier in the day. Yesterday, viaForensics went public with problems in PayPal's iPhone app, spurring the online payment provider to action.

 

Specifically, viaForensics concluded that: the USAA's Android app stored copies of Web pages a user visited on the phone; TD Ameritrade's iPhone and Android apps were storing the user name in plain text on the phone; Wells Fargo's Android app stored user name, password, and account data in plain text on the phone; Bank of America's Android app saves a security question (used if a user was accessing the site from an unrecognized device) in plain text on the phone; and Chase's iPhone app stores the username on a phone if the user chose that option, according to the report.

 

Meanwhile, the iPhone apps from USAA, Bank of America, Wells Fargo, and Vanguard and PayPal's Android app all passed the security tests and were found to be handling data securely.

 

As a result of the report, Wells Fargo released an update to its Android app yesterday, USAA updated its Android app today, TD Ameritrade's apps will be fixed in the next version, and Bank of America is addressing the issue in its apps in the next few days, according to the newspaper report. A Chase spokesman declined to provide CNET with comment.

 

Spokespeople from several of the financial institutions told the newspaper that the supposed holes, in and of themselves, would not necessarily put users at risk because other safeguards are in place and that an attacker would need to know the user ID and password in many cases to access accounts.

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...