The Fraud Blog with Tracy Kitten

How Vulnerable Are Mobile Apps?

Storage of Personal Data Calls for Stronger Protection
How Vulnerable Are Mobile Apps?

Everyone is jumping on the mobile banking security bandwagon. Security firms throughout the world are testing mobile platforms, and they're finding holes.

Late last week, security firm viaForensics announced it had discovered security vulnerabilities in mobile banking smart-phone apps for Google's Android and Apple's iPhone. Apps from Bank of America, Chase, TD Ameritrade, USAA, Wells Fargo and Vanguard were all targeted by the firm.

ViaForensics found that neither Google nor Apple has adequately prevented mobile apps from storing sensitive financial information. The firm noted that some apps do not validate security certification, making them susceptible to so-called man-in-the-middle attacks. Some apps also inadvertently saved passwords, because of the lack of encryption, and some saved data to the phone that had previously been viewed in the app itself.

Researchers at S21sec, a global digita security firm that last month confirmed Zeus had successfully penetrated the mobile market, say that while the findings of viaForensics should not be ignored, the noted vulnerabilities should not be confused with an actual attack.

"The SMS Mitmo (man-in-the-mobile) attack that we discovered and you reported on was a real attack taking place in the wild," says Daniel Brett, head of business development for S21sec. "It played upon vulnerabilities inherent in the Symbian OS that don't seem to have been patched." And the fact that any user can download an unsigned mobile app without passing through what Brett calls an "app market" opens the door for Mitmo.

The security gaps found by viaForensics are different. "It is the discovery of some security 'flaws' within certain banking applications," Brett says. "This falls into the domain of 'vulnerabilities' or, even in some cases, 'bad practices.'"

Storing usernames in plaintext within a smart phone's memory is a bad practice in the same way that stored credit card information is a bad practice at the retail level.

The mobile channel is like any other emerging channel - we're going to discover gaps and vulnerabilities as we move along. It's no secret that the mobile channel is screaming for more authentication and data encryption, but mobile nuances have posed some challenges. As Jason Rouse, a mobile security expert and principal consultant of the mobile and wireless practice for Cigital, rightly pointed out during last month's Mobile Financial Services Forum (#MobileForum on Twitter), fluid mobile browsing habits are part of the problem.

"It's an unfortunate side-effect of the way that a lot of wireless networks are structured," Rouse says. "As a consequence of the way that the networks are structured, technically, we normally have IP changes in the range of hours to days for every mobile client."

That's a challenge the industry is going to have to explore, and it's one that financial institutions active in the mobile banking arena should take into consideration. But users also bear some responsibility here. Granted, the industry has an obligation to educate consumers about risks. But if mobile users are downloading unapproved apps from sites that are not recommended by their financial institutions, how much responsibility should banks or credit unions really take on? Well, that question remains to be answered.



About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.