Monday, July 26, 2010

Citi Admits Security Flaw in Its iPhone App

source http://online.wsj.com/article/SB10001424052748703700904575391273536355324.html

Citigroup Inc. told its U.S. mobile banking customers they should upgrade to a new application designed for Apple Inc.'s iPhone after the bank's original version was found to have a security flaw.

In an incident that highlights the growing security challenges around wireless apps, Citi said its iPhone app accidentally saved personal account information in a hidden file on users' iPhones. Information that may have been stored includes their account numbers, bill payments and security access codes.

The information may also have been saved to a user's computer if they synced their iPhone with a PC.

It wasn't immediately clear whether the information was stored in an area that could have been accessed by a hacker, but Citi said it doesn't believe the data was breached and said its new app corrects the problem.

"We have no reason to believe that our customers' personal information has been accessed or used inappropriately by anyone," Citi said. An Apple spokeswoman didn't immediately reply to a request for comment.

Security experts worry about "leakage" when confidential data gets logged by wireless apps. Citi said its new application, released July 19, deletes any information that may have been saved to a user's iPhone or computer.

Citi said the problem was discovered in a routine security review. Citi notified customers of the problem in a letter dated July 20. Other Citi iPhone apps such as the app for credit card customers weren't affected, said Citi in a statement.

Citi launched the iPhone app in March 2009 in conjunction with mobile financial services provider mFoundry. MFoundry, a private company based in Larkspur, Calif., didn't respond to a request for comment.

The bank said it performed security tests before and after the release of the application but failed to detect the problem. Citi said it is conducting an internal analysis to determine why it didn't find the vulnerability.

Mobile banking is a popular and fast-growing activity on smart phones. The Citi Mobile app, currently the 11th most popular app in the finance category of Apple's App Store, allows customers to check balances, transfer funds and pay bills.

The glitch highlights the security challenges that are emerging as cellphones grow more sophisticated and consumers increasingly use them to organize their lives. John Hering, chief executive of mobile security provider Lookout, said his company is discovering more apps that could inadvertently expose or leak personal information, such as location information and phone numbers.

"Most consumers and app developers don't know what is happening in their apps, because it is moving so fast," Mr. Hering said. "Apps are proliferating so quickly. We will see more and more of this."

Mr. Hering said the information stored on the phone could potentially be compromised by a determined hacker. "They would create a malicious app that accesses various files on your phone, like a wallpaper or ringtone app," Mr. Hering said. But he praised Citibank for alerting its customers to the problem.

—Ben Worthen contributed to this article.

No comments:

Post a Comment