Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Security Holes Found In Mobile Bank Apps

Posted by Soulskill on from the and-you-can-take-that-to-the-uh-nevermind dept.

NeverVotedBush writes with this excerpt from CNet: "A security firm disclosed holes today in mobile apps from Bank of America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a scramble by most of the companies to update the apps. ... Specifically, viaForensics concluded that: the USAA's Android app stored copies of Web pages a user visited on the phone; TD Ameritrade's iPhone and Android apps were storing the user name in plain text on the phone; Wells Fargo's Android app stored user name, password, and account data in plain text on the phone; Bank of America's Android app saves a security question (used if a user was accessing the site from an unrecognized device) in plain text on the phone; and Chase's iPhone app stores the username on a phone if the user chose that option, according to the report. Meanwhile, the iPhone apps from USAA, Bank of America, Wells Fargo, and Vanguard and PayPal's Android app all passed the security tests and were found to be handling data securely."

2 of 107 comments (clear)

  1. Re:iPhone win? by Anonymous Coward · · Score: 5, Insightful

    This is not a platform battle. The banks clearly take shortcuts or hire developers unfit for the task.
    Maybe the iPhone developers also developed the Android apps and were not properly educated on Android development (just a thought).

  2. OH! OH! I know! Pick Me ! by Zero__Kelvin · · Score: 4, Insightful

    "But how is Chase's App on iPhone "insecure" when it is the user's responsibility to not leave their username laying around ?"

    ... for the same reason that there isn't a little box to write your PIN number in on ATM cards. If you offer people a less secure but simpler alternative then many of them will use it out of shear, if understandable, ignorance of the implications. Since leaving your username information "laying around" is a security concern, the only way to keep the mass of people from making things less secure is to not offer the option in the first place. It is the responsibility of the banks, who have security experts, to make things more secure. It cannot sit on the shoulders of the masses, as you suggest it should, because it is a known fact that most people using the app are not security experts.

    Indeed, by offering the option, they are implying that there is no issue with using it.

    HTH

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun