Mobile-banking applications fared better than retail, productivity and social-networking apps, but banks still have work to do to protect customer data on mobile devices, a security audit released Aug. 8 suggests.
In the
In some cases, the apps cached a security PIN or a user name and password. In other instances testers were able to recover payment histories, partial credit card numbers and other transaction-related data.
About one-third (31%) of mobile-banking apps received a “Warn” grade because a user name or app data was present, but it was not considered a significant risk to the user. The remaining 44% of mobile-banking apps passed the test.
To put the findings into context, no social-networking or retail mobile apps passed viaForensics’ test, and a mere 9% of productivity apps passed.
But unencrypted passwords seem to be tripping up banks. “The password thing is black and white,” says Andrew Hoog, viaForensics chief investigative officer. “You either store in clear text on the mobile device itself or you don’t. That’s where the real risk is.”
Mobile devices move all around the world, they are always online, and they are completely outside a financial institution’s control, Hoog points out.
Storing a user name insecurely does not cause a fail. “It’s only a piece of the puzzle, and it’s not the most difficult piece of the puzzle,” Hoog says. “It helps to know what somebody’s user name is because then you don’t have to try to guess what it is. But if somebody has your password, most people are in big trouble, not only because the criminal would be able to compromise their account, log in online and transfer information, but people reuse passwords and user names. That’s the avalanche effect.”
For the average consumer, getting their password would get a cyber-thief into 30% to 90% of the online services that person uses, Hoog says.
“If you do get the password, it’s earth-shattering bad stuff because you can get into almost anything they do online,” he says.
Hoog believes banks and the vendors they purchase from and work with have been overly focused on market share, new features, monetization, expansion and answering consumer demand. “They’re not putting enough or sometimes any effort into security,” Hoog says.
And securing a mobile app is different from securing a banking website or the software on the bank’s servers.
In general, the security industry hasn’t caught up, Hoog says. “The good news is, it’s possible to develop secure mobile apps; you just have to bear in mind the gotchas and trade-offs,” he says. “The problem is, development is a very creative and human endeavor, which means mistakes can get introduced.”
