One-Quarter Of Bank Mobile Apps ‘Fail’ Security Audit

Register now

OAK PARK, Ill. – A new study of mobile banking applications from major banks gave 25% a “fail” rating following a security audit.

The study, conducted by viaForensics here, said in most cases failures occurred because testers were able to recover a user password or other sensitive user data from a user’s mobile device.

In some cases, the apps cached a security PIN or a user name and password. In other instances testers were able to recover payment history, partial credit card numbers and other transaction-related data. About a third (31%) of mobile banking apps received a “Warn” grade because a user name or app data was present, but not considered a significant risk to the user. The remaining 44% of mobile banking apps passed the test.

To put this in context, no social networking or retail mobile apps passed viaForensics’ test, and a mere 9% of productivity apps passed. (Ironically, one of the productivity apps that failed the test is described and sold as a secure e-mail service. The testers were able to recover the security question and answer required to access e-mails.)

But unencrypted passwords seem to be tripping up banks. “The password thing is black and white,” Andrew Hoog, chief investigative officer at viaForensics, told American Banker, an affiliate of Credit Union Journal. “You either store in clear text on the mobile device itself or you don’t. That’s where the real risk is.”


For reprint and licensing requests for this article, click here.