Tech

Banks Rush to Fix Security Flaws in Wireless Apps

A number of top financial companies and banks such as Wells Fargo, Bank of America and USAA are rushing out updates to fix security flaws in wireless banking applications that could allow a computer criminal to obtain sensitive data like usernames, passwords and financial information.

The central problem is that the apps, which run on Apple's iPhone and Android-based devices from Google, are storing a user's information in the memory of a cellphone, a basic lapse that the security researcher who found the flaws said could allow a cybercriminal to access a person's financial accounts.

The data could be gleaned if a criminal got physical access to the phone. It could also be obtained remotely if an attacker were able to con a user into visiting a malicious website, according to Andrew Hoog, chief investigative officer of viaForensics, a Chicago computer and mobile security firm that discovered the flaws.

You could "trick the user with a fishing fake e-mail or text message, sending the user to a website that would infect the device and allow the hacker to steal this data," Mr. Hoog said.

Out of the seven financial companies whose apps viaForensics tested, the Vanguard Group was the only company whose app turned up no flaws.

The rash of vulnerabilities highlights the growing security challenges around wireless applications. Wireless app development is a relatively new field and there is a shortage of skilled programmers. Moreover, companies are being pushed to crank out these applications quickly, which raises the chance of flaws being introduced in the apps.

Read the full story on the Wall Street Journal