Major Security Holes Found In Mobile Bank Apps 107
NeverVotedBush writes with this excerpt from CNet:
"A security firm disclosed holes today in mobile apps from Bank of America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a scramble by most of the companies to update the apps. ... Specifically, viaForensics concluded that: the USAA's Android app stored copies of Web pages a user visited on the phone; TD Ameritrade's iPhone and Android apps were storing the user name in plain text on the phone; Wells Fargo's Android app stored user name, password, and account data in plain text on the phone; Bank of America's Android app saves a security question (used if a user was accessing the site from an unrecognized device) in plain text on the phone; and Chase's iPhone app stores the username on a phone if the user chose that option, according to the report. Meanwhile, the iPhone apps from USAA, Bank of America, Wells Fargo, and Vanguard and PayPal's Android app all passed the security tests and were found to be handling data securely."
Plaintext user data storage? (Score:2, Interesting)
+1 Insightful (Score:3, Interesting)
I have to deal with this BS at work all the time
"...But that password is plain text!"
"Well, the program has to read it. I can encrypt it, but then the app will just have to decrypt it, which means there will be a decryption key in plain text"
"Then encrypt the key!"
"...errr...."
etc etc.
Either you allow the user to save their login and password every time, and store it REVERSIBLY, or you don't allow it. If the decryption is reversible then it is totally irrelevant and might as well be plain text, since the "encryption" is no better than ROT-13 if the key is right there for anyone to get.
Totally biased article (Score:1, Interesting)
Meanwhile, the iPhone apps from USAA, Bank of America, Wells Fargo, and Vanguard and PayPal's Android app all passed the security tests and were found to be handling data securely.
This article is attempting to make iPhone look less problematic then Android based phones.
Examples:
- why don't they list the uneffected Android apps as they do for iPhone?
- why don't they mention that the Android paypal app is uneffected unlike how it effects the iPhone?
- why would they provide a link to "Google Android" and not "iPhone iOS" other then to highlight "Android" in bright blue along with the title of this article?
Question: where does C-net disclose its conflict of interest in their articles? Provide link please.
Write misleading headlines much? (Score:3, Interesting)
I suppose no one would have read a story titled "Minor (If we really stretch medium)" security holes found in bank apps.