[LINK] 'Smartphone banking apps expose sensitive customer data'

Roger Clarke Roger.Clarke at xamax.com.au
Fri Nov 12 14:40:00 AEDT 2010

Smartphone banking apps expose sensitive customer data
By Kim Zetter, wired.com
6? November 2010

A number of wireless banking applications for iPhone and Android 
phone users contain privacy and security flaws that cause the phones 
to store sensitive information in cleartext that could be gleaned by 
hackers, according to a report.

The applications distributed by such top banks and financial 
institutions as Wells Fargo and Bank of America placed various types 
of information at varying degrees of risk. But at least one Android 
application, distributed by Wells Fargo, stored an account holder's 
username and password on the phone in cleartext. The application also 
stored account balances on the phone, according to a security 
researcher who spoke with the Wall Street Journal.

The applications store the information in the phone's memory, 
allowing it to be easily gleaned from the phone if an attacker were 
to trick the user into visiting a malicious website-for example, by 
sending the user a phishing e-mail containing a link to the malicious 

An application by the United Services Automobile Association was 
found to store a mirror image of the bank webpage the phone user 
visited, which could reveal the user's account balances and 
transactions as well as the bank account and routing numbers, which 
can be used to conduct electronic money transfers. The application 
didn't store the accountholder's username and password, but an 
attacker might obtain this information through a more targeted attack 
against the account holder's phone if he determines the bank balance 
revealed on the phone makes the extra effort worth it.

Bank of America's application also didn't save usernames and 
passwords, but it did save the answer to a secondary security 
question in cleartext. An account holder is asked the extra question 
only if the bank's website determines that the user is trying to log 
in from a device it doesn't recognize-such as from a phone or 
computer she doesn't normally use to conduct banking.

Andrew Hoog, chief investigative officer for viaForensics, said that 
only one of the seven applications his group examined contained no 
such security flaw. That application is distributed the Vanguard 

Both Wells Fargo and USAA told the Journal that they had fixed the 
problem in updated applications released on Wednesday. Bank of 
America said it would be tweaking its application in a new update 
distributed in a few days.

Separately, Hoog's company had found another security flaw with 
PayPal's iPhone application that would allow someone on the same WiFi 
network as the user to obtain the user's PayPal username and 
password. The security flaw exists because the application doesn't 
try to verify the digital certificate of the PayPal website. 
Therefore a hacker on the same network could conduct a 
man-in-the-middle attack that delivers a bogus PayPal page to the 
user's browser, stealing the username and password when the user 
enters it.

PayPal has since updated its application to fix this flaw.


A Risk Assessment Framework for Mobile Payments (Jun 2008)

Roger Clarke                                 http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list