You might not want to check your bank account from your phone after all. Mobile apps from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade have major security holes, reports research firm viaForensics and WSJ. The bugs center mainly around iPhone and Android versions of the apps, and could potentially allow a hacker to learn your username, password, and some financial information. In other words, this is bad.
The apps currently save sensitive information in the phone’s memory. If the device is stolen, a criminal could hack into the physical phone and extract everything they need to remotely access the bank account. Worse, if the smartphone user is conned into visiting a malicious website, the information could also be extracted.
ViaForensics is already working with the banks to fix the bug. “Since Monday (11/01/2010), we have been communicating and coordinating with the financial institutions to eliminate the flaws,” the research firm said. “The findings we published reflect testing completed on 11/03/2010. Since that time, several of the institutions have released new versions and we will post updated findings shortly. We applaud the effort several institutions put forth to quickly patch the vulnerability and protect their customers. viaForensics hopes that our efforts help not only companies but users to protect their identity, financial data and other sensitive information.”
Wells Fargo and USAA have already released patches for their apps, and encourage users to download them. Bank of America should have an update out in the next few days, and TD Ameritrade will fix the issue in the next 30 days.
Unfortunately, this is not the first security breach for a mobile app or OS. In June, a major iPad security hole was found, potentially exposing 114,000 users’ information. A flaw allowing users to bypass lock screens on iOS 4.1 was also exposed recently.
12 million people in the U.S. used mobile banking apps and websites last year. Analysts expect this number to rise to 18 million in 2010.