[LINK] 'Smartphone banking apps expose sensitive customer data'
Roger Clarke
Roger.Clarke at xamax.com.au
Fri Nov 12 14:40:00 AEDT 2010
Smartphone banking apps expose sensitive customer data
By Kim Zetter, wired.com
6? November 2010
http://arstechnica.com/gadgets/news/2010/11/smartphone-banking-apps-expose-sensitive-customer-data.ars
A number of wireless banking applications for iPhone and Android
phone users contain privacy and security flaws that cause the phones
to store sensitive information in cleartext that could be gleaned by
hackers, according to a report.
The applications distributed by such top banks and financial
institutions as Wells Fargo and Bank of America placed various types
of information at varying degrees of risk. But at least one Android
application, distributed by Wells Fargo, stored an account holder's
username and password on the phone in cleartext. The application also
stored account balances on the phone, according to a security
researcher who spoke with the Wall Street Journal.
The applications store the information in the phone's memory,
allowing it to be easily gleaned from the phone if an attacker were
to trick the user into visiting a malicious website-for example, by
sending the user a phishing e-mail containing a link to the malicious
site.
An application by the United Services Automobile Association was
found to store a mirror image of the bank webpage the phone user
visited, which could reveal the user's account balances and
transactions as well as the bank account and routing numbers, which
can be used to conduct electronic money transfers. The application
didn't store the accountholder's username and password, but an
attacker might obtain this information through a more targeted attack
against the account holder's phone if he determines the bank balance
revealed on the phone makes the extra effort worth it.
Bank of America's application also didn't save usernames and
passwords, but it did save the answer to a secondary security
question in cleartext. An account holder is asked the extra question
only if the bank's website determines that the user is trying to log
in from a device it doesn't recognize-such as from a phone or
computer she doesn't normally use to conduct banking.
Andrew Hoog, chief investigative officer for viaForensics, said that
only one of the seven applications his group examined contained no
such security flaw. That application is distributed the Vanguard
Group.
Both Wells Fargo and USAA told the Journal that they had fixed the
problem in updated applications released on Wednesday. Bank of
America said it would be tweaking its application in a new update
distributed in a few days.
Separately, Hoog's company had found another security flaw with
PayPal's iPhone application that would allow someone on the same WiFi
network as the user to obtain the user's PayPal username and
password. The security flaw exists because the application doesn't
try to verify the digital certificate of the PayPal website.
Therefore a hacker on the same network could conduct a
man-in-the-middle attack that delivers a bogus PayPal page to the
user's browser, stealing the username and password when the user
enters it.
PayPal has since updated its application to fix this flaw.
[See:
A Risk Assessment Framework for Mobile Payments (Jun 2008)
http://www.rogerclarke.com/EC/MP-RAF.html
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list