My bank recently rolled out its own iPhone app. I downloaded it and was just about to check it out. Then, paranoia. If you read my article about whether online banking is safe or not, you will understand. What do I know about this app?
So, I started looking into mobile banking apps. It did not take long to find out security advocates also have their concerns. Spencer Ante of the Wall Street Journal raises a warning in his article: "Banks Rush to Fix Security Flaws in Wireless Apps". Here is the lead paragraph:
"A number of top financial companies and banks such as Wells Fargo & Co., Bank of America Corp., and USAA are rushing out updates to fix security flaws in wireless banking applications that could allow a computer criminal to obtain sensitive data like usernames, passwords, and financial information."The same article mentioned viaForensics, a company specializing in securing mobile applications, as the firm responsible for discovering the vulnerabilities. Good for them. My question is, why is this even happening? It is not complicated. Our banking credentials should be considered sacred, period.
On a good note, viaForensic's Web site mentions their researchers are working with the affected financial institutions: "Since Monday (11/01/2010), we have been communicating and coordinating with the financial institutions to eliminate the flaws."
The blog post goes on to say: "Since that time, several of the institutions have released new versions and we will post updated findings shortly."
In the quote, viaForensics mentioned publishing new test results. That refers to their online service called appWatchdog.
Within days, and to their credit, most of the banking firms pushed out updates to remove the vulnerabilities. The following appWatchdog slide displays the results from testing Wells Fargo's app for Android phones on November 3, 2010:
Three days later, the same Android app from Wells Fargo passed every test:
Why worry then?
It appears mobile banking applications are getting fixed. It also was pointed out that viaForensics found vulnerabilities, not actual attacks. So there is nothing to worry about. Not quite, I talked to experts that disagree.
One researcher in particular voiced the following concerns:
- Most mobile devices are so new, security apps are not available.
- Keeping member's banking information secure should be a no-brainer, yet it is not so.
- PCs are still a target-rich environment, so criminals are not yet focused on creating mobile phone malware.
The difference is insignificant, but Sullivan also mentioned this year's total was nearly double last year's. So, stay tuned.
What's the answer?
For right now, if banking online is a must, using a dedicated PC, LiveCD, or a bootable flash drive are still the best solutions.
Final thoughts
Not sure what it all means--is it FUD or are we making the same mistakes we do banking online with PCs? What do you think?
Update (Nov. 29, 2010):
Andrew Hoog, chief investigative officer for viaForensics, contacted me. They tested five new mobile applications: Groupon, Kik Messenger, Facebook, Dropbox, and Mint.com. All the applications failed to securely store username and application data. More troubling, four applications: Groupon (Android), Kik Messenger (Android), Kik Messenger (iPhone), and Mint.com (Android) were storing passwords as plain text.
(ZDNETASIA)
Michael Kassner has been involved with IT for over 30 years and is currently a systems administrator for an international corporation and security consultant with MKassner Net.
Tidak ada komentar:
Posting Komentar