Nov 8 2010
08:09 am

Just a little heads up, in case you missed this: banking apps for Android and iPhone are storing sensitive personal information in cleartext.

The applications distributed by such top banks and financial institutions as Wells Fargo and Bank of America placed various types of information at varying degrees of risk. But at least one Android application, distributed by Wells Fargo, stored an account holder’s user name and password on the phone in cleartext. The application also stored account balances on the phone, according to a security researcher who spoke with the Wall Street Journal.

The applications store the information in the phone’s memory, allowing an attacker to easily glean it from the phone by tricking the user into visiting a malicious website. An example would be sending the user a phishing e-mail containing a link to the malicious site.

In other banking news, banks are becoming ever more intrusive into our lives.

An estimated 40 million consumers, including young people and people who prefer to pay in cash, have too little credit experience to generate a useful credit score. But they are likely to pay rent or utility bills, which could help credit bureaus better assess their credit-worthiness.

Experian, one of the three major credit bureaus, bought RentBureau—which collects rental-payment data from large property managers—and expects to integrate that information into credit records before the end of the year.

Credit bureaus say they also would like to offer data on cellphone payments, but have run into concerns over privacy issues, which may require legislation to untangle.

And from this second article, there is a classaction lawsuit against news outlets that received personal information from cellphone users, via the advertising company, Ringleader. If the cellphone user tried to delete the code that collected personal information, the database regenerated itself.

shorter version: your lives belong to us.

Opinari's picture

iPhone Apps..

From that same report, referencing a different article:

Meanwhile, the iPhone apps from USAA, Bank of America, Wells Fargo, and Vanguard and PayPal's Android app all passed the security tests and were found to be handling data securely.

I know on my own device that the iPhone stores the username in cleartext on the Chase banking app, but that's no big deal to me because I use a strong password. What I'd like to see is a biometric implementation, especially given the utility of touchscreen devices. I had such a product on my old Treo 650 that opened apps based upon your voice pattern. Surely something could be constructed for the iPhone and/or the Android.

Dave Prince's picture

The way things are trending,

The way things are trending, I get the feeling that Apple and Google - as the gatekeepers of their respective mobile OS realms and the arbiters of constitutes secure within them - are going to end up in front of some appropriate committee once the potential problems outlined in stories like these pass a certain threshold.

And yes, that's about as vague as prognostications get.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.


TN Progressive

TN Politics

Knox TN Today

Local TV News

News Sentinel

State News

Local .GOV

Wire Reports

Lost Medicaid Funding

To date, the failure to expand Medicaid/TennCare has cost the State of Tennessee ? in lost federal funding. (Source)

Search and Archives