90% of mobile banking apps have security problems

Posted: 14 Jan 2014, 10:34, by Ivaylo Ivanov

Share Tweet Share

90% of mobile banking apps have security problems

Do you use the mobile app offered by your bank to make deposits or to handle other transactions? You might not be so eager to use it next time after hearing about the results of a recent study. Ariel Sanchez of IO Active Labs used his Apple iPhone and Apple iPad to test out mobile banking apps, and found that 9 out of 10 have a security problem. When dealing with your money, those are not the odds that you want to see.

Sanchez tested 40 of the world's 60 "most influential banks" and found that some mobile banking apps allowed crooks to devise forms for phishing. In other words, you could receive an email from the bank that looks official, asking you for personal information. But instead of going to the bank, the info goes to criminals using the information you give them for evil purposes. Amazingly, 70% of the mobile banking apps did not have an alternate method of authentication which could help guard against impersonation of customers.

Most of the apps can easily disclose your authentication information through the Apple system log. Using an iPhone Configuration Utility tool, this information can come tumbling out of an application dump. Nice, huh? And 20% of the apps sent out security codes through plaintext communication heightening the possibility that confidential information could be intercepted and used to drain your account. Some banks are using an unencrypted database to store your confidential information.

Hopefully the financial institutions look at the report and make the necessary changes. Look at what happened to Snapchat when it didn't listen to a security expert. Right now, using a mobile banking app would appear to be akin to playing Russian Roulette with your money.

9 out of 10 mobile banking apps have security holes

Some mobile banking apps make it easy for criminals to phish for your personal information

The security problems found on many banking apps

source: IOActive via BGR

12 Comments

Options

Close Follow ›

posted on 14 Jan 2014, 12:07 4

1. Jommick (Posts: 221; Member since: 10 Sep 2013)

What about Android banking apps?

posted on 14 Jan 2014, 17:52

10. joey_sfb (Posts: 6533; Member since: 29 Mar 2012)

All my local banks use 2 factors authentication, Data are transmitted and store in encrypted form. Its a requirement spell out by our local financial authority, so every banks has to follow.

Both iOS and Android must comply before they can launch their apps.

posted on 14 Jan 2014, 12:23

2. InspectorGadget80 (unregistered)

I never use mobile apps to buy items or pay bills it's not realible no matter what company is under. Apps never have tight security

posted on 14 Jan 2014, 14:25

6. Augustine (Posts: 1043; Member since: 28 Sep 2013)

I always avoid them too. As a software engineer, I wouldn't trust accessing my bank account from a mobile device to a programmer.

posted on 14 Jan 2014, 15:21

9. Jayshmay (Posts: 82; Member since: 27 Mar 2011)

People who fall for phishing are stupid, first of all an email from your bank will have either your name, or the last 4 of your acct number, a phishing email will just refer to you as "Dear Customer" nothing personal, like the bank would.

posted on 15 Jan 2014, 00:21

12. Droid_X_Doug (Posts: 5993; Member since: 22 Dec 2010)

I am more paranoid than you are. I use my bank's mobile app only to check the balance in the accounts and what has been deposited or payments/debit card activity. I do not enable the app to pay bills or make deposits or transfer funds.

There is no such thing as a completely secure mobile app.

posted on 14 Jan 2014, 12:26

3. Aplusk (Posts: 120; Member since: 10 Nov 2013)

thats not a good news.

posted on 14 Jan 2014, 12:34

4. axllebeer (Posts: 271; Member since: 05 Apr 2011)

Anyone still banking on a BlackBerry? I know a huge percentage of the world is using Android too. Why was this study limited only to iOS devices?

posted on 14 Jan 2014, 13:18

5. bubbadoes (Posts: 1225; Member since: 03 May 2012)

Not surprised at all! Target and Neiman Marcus have all fell victims to data breaches. What makes you think your cell phone is any different. With all the free wifi hotspots out there, some being havens for identity theft is no surprise at all. At least my bank will not hold me liable for any fraudulent charges/activity.

posted on 14 Jan 2014, 14:27

7. Augustine (Posts: 1043; Member since: 28 Sep 2013)

Which makes the most common vulnerability, failure to use SSL, all the more egregious. This is by far the easiest thing to have and, since it's neglected by 90% of the apps, it hints at even worse carelessness in the other, more difficult to counter vulnerabilities.