[ISN] Firm finds security holes in mobile bank apps

From: InfoSec News <alerts_at_private>
Date: Thu, 4 Nov 2010 23:27:25 -0600 (CST)

By Elinor Mills
InSecurity Complex
CNet News
November 4, 2010

A security firm disclosed holes today in mobile apps from Bank of 
America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a 
scramble by most of the companies to update the apps.

"Since Monday (11/01/2010), we have been communicating and coordinating 
with the financial institutions to eliminate the flaws," research firm 
viaForensics wrote in a post on its site. "The findings we published 
reflect testing completed on 11/03/2010. Since that time, several of the 
institutions have released new versions and we will post updated 
findings shortly."

The company had reported its findings to The Wall Street Journal earlier 
in the day. Yesterday, viaForensics went public with problems in 
PayPal's iPhone app, spurring the online payment provider to action.

Specifically, viaForensics concluded that: the USAA's Android app stored 
copies of Web pages a user visited on the phone; TD Ameritrade's iPhone 
and Android apps were storing the user name in plain text on the phone; 
Wells Fargo's Android app stored user name, password, and account data 
in plain text on the phone; Bank of America's Android app saves a 
security question (used if a user was accessing the site from an 
unrecognized device) in plain text on the phone; and Chase's iPhone app 
stores the username on a phone if the user chose that option, according 
to the report.


Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery 
Network, Cisco Switches, SAS 70 Type II Datacenter. 
Find peace of mind, Defend your Critical Infrastructure.
Received on Thu Nov 04 2010 - 22:27:25 PDT

This archive was generated by hypermail 2.2.0 : Thu Nov 04 2010 - 22:39:08 PDT