Personal mobile banking apps leak information
Home banking apps that have been adapted for mobile devices have created a significant security challenge for worldwide financial firms, according to research from IOActive. Forty mobile banking apps from the top 60 most influential banks in the world have major security weaknesses, says the Seattle, Washington-based security firm.
IOActive researcher Ariel Sanchez spent 40 hours testing these banks' client-side applications using iPhone/iPad devices. All of the applications could be installed on a jail-broken iOS-based device, which can run applications that are unavailable through the official Apple Store.
Sanchez reported his findings in an IOActive blog.
Most of the log files generated by the apps, such as crash reports, exposed sensitive information that could be used to target users, Sanchez found. Most of the apps also disclosed sensitive information through the Apple system log.
Seventy percent of the apps did not have any alternative authentication solutions, such as multi-factor authentication, which could help to mitigate the risk of impersonation attacks.
A new generation of phishing attacks has become very popular in which the victim is prompted to retype his username and password "because the online banking password has expired," Sanchez warned. The attacker steals the victim's credentials and gains full access to the customer's account.
IOActive contacted some of the affected banks to report the vulnerabilities.
"Financial (institutions) should increase the security standards they use for their mobile home banking solutions," Sanchez's blog concluded.
Read more about mobile banking.