Banking apps for mobile devices are increasing in popularity. Estimates by the financial-services firm TowerGroup suggest there will be 53 million people using mobile-banking apps by 2013.
My bank recently rolled out its own iPhone app. I downloaded it and was just about to check it out. Then, paranoia. If you read my article about whether online banking is safe or not, you will understand. What do I know about this app?
So, I started looking into mobile-banking apps. It did not take long to find out security advocates also have concerns. Spencer Ante of the Wall Street Journal raises a warning in: "Banks Rush to Fix Security Flaws in Wireless Apps." Here is the lead paragraph:
"A number of top financial companies and banks such as Wells Fargo & Co., Bank of America Corp., and USAA are rushing out updates to fix security flaws in wireless-banking applications that could allow a computer criminal to obtain sensitive data like usernames, passwords, and financial information."
The same article mentions viaForensics, a company specializing in securing mobile applications, as the firm discovering the vulnerabilities. Good for them. My question is, why is this even happening? It is not complicated. Our banking credentials should be considered sacred, period.
On a good note, viaForensic's web site mentions their researchers are working with the affected financial institutions: "Since Monday (11/01/2010), we have been communicating and coordinating with the financial institutions to eliminate the flaws."
The blog post goes on to say: "Since that time, several of the institutions have released new versions and we will post updated findings shortly."
In the quote, viaForensics mentioned publishing new test results. That refers to their online service called appWatchdog.
Within days and to their credit, most of the banking firms pushed out updates to remove the vulnerabilities. The following appWatchdog slide displays the results from testing Wells Fargo's app for Android phones on November 3, 2010:
Three days later, the same Android app from Wells Fargo passed every test:
It appears mobile-banking applications are getting fixed. It also was pointed out that viaForensics found vulnerabilities, not actual attacks. So there is nothing to worry about. Not quite, I talked to experts that disagree.
One researcher in particular voiced the following concerns:
- Most mobile devices are so new, security apps are not available.
- Keeping member's banking information secure should be a no-brainer, yet it is not so.
- PCs are still a target-rich environment, so criminals are not yet focused on creating mobile-phone malware.
The researcher's first two concerns rang true. The third concern intrigued me, meaning I need to learn more about that. I came across this article, quoting Sean Sullivan of F-Secure. So far in 2010, F-Secure detected 67 strains of smart-phone malware compared to thousands aimed at PCs.
The difference is insignificant, but Mr. Sullivan also mentioned this year's total was nearly double last year's. So, stay tuned.What's the answer?
For right now, if banking online is a must, using a dedicated PC, LiveCD, or a bootable flash drive are still the best solutions.Final thoughts
Not sure what it all means -- is it FUD or are we making the same mistakes we do banking online with PCs? What do you think?Update: November 29, 2010
Andrew Hoog, Chief Investigative Officer for viaForensics contacted me today. They tested five new mobile applications: Groupon, Kik Messenger, Facebook, Dropbox, and Mint.com. All the applications failed to securely store username and application data. More troubling, four applications: Groupon (Android), Kik Messenger (Android), Kik Messenger (iPhone), and Mint.com (Android) were storing passwords as plain text.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.