A number of wireless banking applications for iPhone and Android phone users contain privacy and security flaws that cause the phones to store sensitive information in cleartext that could be gleaned by hackers, according to a report.
The
The applications store the information in the phone’s memory, allowing it to be easily gleaned from the phone if an attacker were to trick the user into visiting a malicious web site — for example, by sending the user a phishing e-mail containing a link to the malicious site.
A financial services application by the United Services Automobile Association was found to store a mirror image of the banking web page the phone user visited, which could reveal the user’s account balances and transactions as well as the routing numbers, which can be used to conduct electronic money transfers if a hacker also obtains the account number. The application didn’t store the accountholder’s username and password, but an attacker might obtain this information through a more targeted attack against the account holder’s phone if he determines the bank balance revealed on the phone makes the extra effort worth it.
Bank of America’s application also didn’t save usernames and passwords, but it did save the answer to a secondary security question in cleartext. An accountholder is asked the extra question only if the bank’s web site determines that the user is trying to log in from a device it doesn’t recognize — such as from a phone or computer he doesn’t normally use to conduct banking.
Andrew Hoog, chief investigative officer for viaForensics, said that only one of the seven applications his group examined contained no such security flaw. That application is distributed by the Vanguard Group.
Both Wells Fargo and USAA told the Journal that they had fixed the problem in updated applications released on Wednesday. Bank of America said it would be tweaking its application in a new update distributed in a few days.
Separately, Hoog’s company had found another security flaw with PayPal’s iPhone application that would allow someone on the same WiFi network as the user to obtain the user’s PayPal username and password. The security flaw exists because the application doesn’t try to verify the digital certificate of the PayPal web site. Therefore a hacker on the same network could conduct a man-in-the-middle attack that delivers a bogus PayPal page to the user’s browser, stealing the username and password when the user enters it.
PayPal has since updated its application to fix this flaw.
Photo: boostmobile/Flickr
Authors: Kim Zetter