Forgot your password?
typodupeerror
Security The Almighty Buck Cellphones Iphone

Major Security Holes Found In Mobile Bank Apps 107

Posted by Soulskill
from the and-you-can-take-that-to-the-uh-nevermind dept.
NeverVotedBush writes with this excerpt from CNet: "A security firm disclosed holes today in mobile apps from Bank of America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a scramble by most of the companies to update the apps. ... Specifically, viaForensics concluded that: the USAA's Android app stored copies of Web pages a user visited on the phone; TD Ameritrade's iPhone and Android apps were storing the user name in plain text on the phone; Wells Fargo's Android app stored user name, password, and account data in plain text on the phone; Bank of America's Android app saves a security question (used if a user was accessing the site from an unrecognized device) in plain text on the phone; and Chase's iPhone app stores the username on a phone if the user chose that option, according to the report. Meanwhile, the iPhone apps from USAA, Bank of America, Wells Fargo, and Vanguard and PayPal's Android app all passed the security tests and were found to be handling data securely."
This discussion has been archived. No new comments can be posted.

Major Security Holes Found In Mobile Bank Apps

Comments Filter:
  • by TravTrav (1236742) on Friday November 05, 2010 @06:23PM (#34142596) Homepage
    Let's not get so excited about the future that we forget the mistakes of the past folks....
  • +1 Insightful (Score:3, Interesting)

    by brunes69 (86786) <slashdot AT keirstead DOT org> on Friday November 05, 2010 @07:10PM (#34143002) Homepage

    I have to deal with this BS at work all the time

    "...But that password is plain text!"
    "Well, the program has to read it. I can encrypt it, but then the app will just have to decrypt it, which means there will be a decryption key in plain text"
    "Then encrypt the key!"
    "...errr...."

    etc etc.

    Either you allow the user to save their login and password every time, and store it REVERSIBLY, or you don't allow it. If the decryption is reversible then it is totally irrelevant and might as well be plain text, since the "encryption" is no better than ROT-13 if the key is right there for anyone to get.

  • by Anonymous Coward on Friday November 05, 2010 @08:40PM (#34143912)

    Meanwhile, the iPhone apps from USAA, Bank of America, Wells Fargo, and Vanguard and PayPal's Android app all passed the security tests and were found to be handling data securely.

    This article is attempting to make iPhone look less problematic then Android based phones.

    Examples:
      - why don't they list the uneffected Android apps as they do for iPhone?
      - why don't they mention that the Android paypal app is uneffected unlike how it effects the iPhone?
      - why would they provide a link to "Google Android" and not "iPhone iOS" other then to highlight "Android" in bright blue along with the title of this article?

    Question: where does C-net disclose its conflict of interest in their articles? Provide link please.

  • by Wovel (964431) on Friday November 05, 2010 @10:16PM (#34144666) Homepage

    I suppose no one would have read a story titled "Minor (If we really stretch medium)" security holes found in bank apps.

The meta-Turing test counts a thing as intelligent if it seeks to devise and apply Turing tests to objects of its own creation. -- Lew Mammel, Jr.

Working...