= Subscriber content; or subscribe now to access all American Banker content.

Security Warning: 25% of Mobile Banking Apps Flunk Test

Although mobile banking apps fared better than retail, productivity and social networking apps in a security audit released today, banks still have work to do to protect customer data on mobile devices.

In the study conducted by viaForensics, 25% of the mobile banking programs analyzed received a "fail" rating. In most cases, these failures occurred because testers were able to recover a user password or other sensitive user data from a user's mobile device. In some cases, the apps cached a security PIN or a user name and password. In other instances testers were able to recover payment history, partial credit card numbers and other transaction-related data. About a third (31%) of mobile banking apps received a "Warn" grade because a user name or app data was present, but not considered a significant risk to the user. The remaining 44% of mobile banking apps passed the test.

To put this in context, no social networking or retail mobile apps passed viaForensics' test, and a mere 9% of productivity apps passed. (Ironically, one of the productivity apps that failed the test is described and sold as a secure email service. The testers were able to recover the security question and answer required to access emails.)

But unencrypted passwords seem to be tripping up banks. "The password thing is black and white," says Andrew Hoog, chief investigative officer at viaForensics. "You either store in clear text on the mobile device itself or you don't. That's where the real risk is." Mobile devices move all around the world, they're always online and they're completely outside a financial institution's control, Hoog points out.

Storing a user name insecurely does not cause a fail. "It's only a piece of the puzzle and it's not the most difficult piece of the puzzle," Hoog says. "It helps to know what somebody's user name is because then you don't have to try to guess what it is. But if somebody has your password, most people are in big trouble, not only because the criminal would be able to compromise their account, log in online and transfer information, but people reuse passwords and user names. That's the avalanche effect." For the average consumer, getting their password would get a cyber-thief into 30-90% of the online services that person uses, Hoog says.

"If you do get the password, it's earth-shattering bad stuff because you can get into almost anything they do online," he says.

Hoog believes banks and the vendors they purchase from and work with have been overly focused on market share, new features, monetization, expanding and answering consumer demand. "They're not putting enough or sometimes any effort into security," he says. And securing a mobile app is different from securing a banking website or the software on the bank's servers. "In general, the security industry hasn't caught up," he says.

"The good news is, it's possible to develop secure mobile apps, you just have to bear in mind the gotchas and trade-offs," Hoog says. "The problem is, development is a very creative and human endeavor, which means mistakes can get introduced."


(3) Comments



Comments (3)
Mobile commerce application is getting immune to threats and hacking as of today. Well, may be not completely but somewhere right there. With the major technologies like Near Field Communication, the hackers too are trying their heads at sliding off the corner but the security solution providers are also getting capable enough with the hackers virtue. By the coming years, banks will embrace m-commerce applications in the mainstream transactions.

Posted by Lakshmi Balu | Monday, June 25 2012 at 11:31PM ET
Rahul- just one question: what?
Posted by visainc | Monday, August 15 2011 at 12:34PM ET
The test is conducted and even if the fail condition has occurred with the productive apps, there is no need to be disappointed. The customer data integrity is the main concern and to achieve this, the mobile apps have to undergo thorough scrutiny to be released officially.
iphone application development
Posted by Lakshmi Balu | Tuesday, August 09 2011 at 12:21AM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.