Banks need to improve cell phone banking applications' security or face losing customers frightened by the risk, security experts say.
About 80 to 90 percent of mobile phone-based apps that Chicago-based security firm via Forensics analyzes for security flaws fail its free "appwatchdog" tests. The firm recovered usernames, passwords, transaction data-sometimes all of the above-from the mobile apps offered by five banks over popular Android-based devices and iPhones in November assessments.
"And that's about 10 percent of what we would do in a full-blown security audit," says Andrew Hoog, chief investigative officer and co-founder of viaForensics. "So we're really only looking at the tip of the iceberg with those findings."
Most of the problems involved the banking applications storing recoverable customer information in the phone's flash memory; viaForensics worked with the banks to resolve the flaws. But while the banks patched the most serious problems with updates, Hoog said financial institutions have yet to optimally mitigate security risks in their mobile banking services. The flaws were first reported in the Wall Street Journal; since then, several mobile banking vendors have begun working with the vendor to ensure their apps pass the tests.
In one recent comprehensive audit, viaForensics was able to inject fake ATM and branch locations and unaffiliated phone numbers into a bank's mobile app.
But not all of the vulnerabilities viaForensics finds are plausible exploits, Hoog concedes. viaForensic's finding that Bank of America's Android app left answers to a security question in plain text on phones "posed no risk to customers," says BofA spokeswoman Tara Burke. The app was nonetheless updated to hide the answers, "the weekend after we were made aware of the finding."
The reason most of these apps show gaps and vulnerabilities, Hoog says, is that they've been rushed to launch, and "when you go very quickly there's not time for sufficient testing."
New exploits are ratcheting up the risk for firms too. Malware has already made the jump from PCs to mobiles. Hackers have not only tweaked the code of the ZeuS Trojan to perform remote takeovers of smartphones, but have launched such "attacks against banks that use mobile devices as a second factor of authentication," says Amit Klein, CTO of Trusteer.
None of the banks that viaForensics reported finding mobile flaws with in November-Bank of America, J.P. Morgan Chase, TD Ameritrade, USAA and Wells Fargo-would directly answer questions about whether they've changed their development process to include stronger security auditing.