Firm finds security holes in mobile bank apps

Financial firms say they are addressing problems that research firm found with security of mobile apps.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

Nov. 4, 2010 5:23 p.m. PT

2 min read

A security firm disclosed holes today in mobile apps from Bank of America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a scramble by most of the companies to update the apps.

"Since Monday (11/01/2010), we have been communicating and coordinating with the financial institutions to eliminate the flaws," research firm viaForensics wrote in a post on its site. "The findings we published reflect testing completed on 11/03/2010. Since that time, several of the institutions have released new versions and we will post updated findings shortly."

The company had reported its findings to The Wall Street Journal earlier in the day. Yesterday, viaForensics went public with problems in PayPal's iPhone app, spurring the online payment provider to action.

Specifically, viaForensics concluded that: the USAA's Android app stored copies of Web pages a user visited on the phone; TD Ameritrade's iPhone and Android apps were storing the user name in plain text on the phone; Wells Fargo's Android app stored user name, password, and account data in plain text on the phone; Bank of America's Android app saves a security question (used if a user was accessing the site from an unrecognized device) in plain text on the phone; and Chase's iPhone app stores the username on a phone if the user chose that option, according to the report.

Meanwhile, the iPhone apps from USAA, Bank of America, Wells Fargo, and Vanguard and PayPal's Android app all passed the security tests and were found to be handling data securely.

As a result of the report, Wells Fargo released an update to its Android app yesterday, USAA updated its Android app today, TD Ameritrade's apps will be fixed in the next version, and Bank of America is addressing the issue in its apps in the next few days, according to the newspaper report. A Chase spokesman declined to provide CNET with comment.

Spokespeople from several of the financial institutions told the newspaper that the supposed holes, in and of themselves, would not necessarily put users at risk because other safeguards are in place and that an attacker would need to know the user ID and password in many cases to access accounts.

Update 8:50 a.m. PDT Nov. 5 Andrew Hoog, chief investigative officer at viaForensics, offered this statement in response: "Our appWatchdog service clearly highlights the secure aspects of the financial apps we tested. Unfortunately, in the security world (especially when you access your bank account or provide credit card numbers), providing security most of the time is simply not good enough. For mobile app providers, there are no shortcuts to protecting customers' data. It must be engineered from the start and thoroughly tested after any change in the app or underlying OS (i.e. iPhone iOS or Google Android)."