Citigroup warns of security flaw in their iPhone mobile banking app

Citigroup instructed the users of its mobile iPhone banking app to upgrade immediately in the wake of a discovered security flaw, according to the Wall street Journal. Apparently, the mobile banking iPhone app (currently the 11th most popular finance app in the App Store) stores personal data from transaction in a hidden file on your phone. This information, when the iPhone is synced with a PC, is transferred to the PC, creating a dangerous vulnerability. The information stored included account numbers, bill payment histories and access codes.

Citigroup is reassuring its customers that they have no reason to believe that the data was breached or used maliciously by identity thieves or hackers. In a statement, Citigroup said, "We have no reason to believe that our customers' personal information has been accessed or used inappropriately by anyone.” They are currently undergoing internal investigations to find out why such a vulnerability wasn’t found in testing.

As the mobile app market continues to grow at amazing speeds, these kinds of security flaws are not uncommon in a world where the faster your app gets to market, the better it will likely perform. This is something to think about when jumping on the latest cool new functionality the mobile wireless world has to offer. John Hering, CEO of mobile security provider Lookout, says that this is becoming a bigger problem than most people expect.

“Most consumers and app developers don't know what is happening in their apps, because it is moving so fast. Apps are proliferating so quickly. We will see more and more of this."

Report a problem with article
Previous Story

U.S. government makes jailbreaking, unlocking and ripping DVDs legal

Next Story

3DS games to come at a premium cost according to analyst

12 Comments

Commenting is disabled on this article.

Ambroos - That's called two factor authentication (2FA). It uses similar technology as the little tokens you may see around that allow employees to access their networks remotely. It's a good solution for the banks but I've had problems with the card readers not picking up the chip in my card so I would imagine the remote support is a real pain for the banks.

Swerz - I'm surprised they wasted their time developing an app to scan cheques. They are insecure and on the way out. The cheque guarantee attached to most bank cards in the UK is ending next year so its days are numbered.

Overall I think banking phone apps are a bad idea. I was shocked to see the Wonga ad on the tube earlier this year offering loans almost instantaneously at stupid interest rates on your iPhone! It seems like the double dip recession is inevitable.

Banking with access codes is old technology anyway. Here in belgium everyone gets a tiny card reader on batteries, looks like a calculator. On your banking site you enter your card number, and it gives you a 'challenge'. You put your card in the reader, enter the challenge, enter your pin, and then you get a time-limited response that you have to enter on the site to log in. For every transaction later on you have to repeat the process. Completely safe as long as people don't have your physical card and pin. And your card becomes unusable after 3 wrong tries ;-) now that's secure!

Chase banking just released an app or something of the sort to deposit checks via iPhone. Just simply take pics of both sides of the check and boom.

Lol. I laugh at whoever does this.

Mouettus said,
what about using the web interface via http on wifi or 3g instead?

Does it involve using their app? No? Should be in the clear. At least as far as this particular issue is concerned.

Still, banking over HTTP on wireless? Are you trying to make it easier for people to steal your personal info and rob you blind?

why would you use your iphone to store and pay your credit card? thats just so lazy. ppl relie on the phone way too much...

Horrible company. I work for a retail bank here in the UK and that bank really comes down hard on customers who getting into financial problems. Any customer relationship or service stop as soon as that balance goes to £1 in arrears.

totally off topic I know but I hate how they get away with it.

Orange Battery said,
Horrible company. I work for a retail bank here in the UK and that bank really comes down hard on customers who getting into financial problems. Any customer relationship or service stop as soon as that balance goes to £1 in arrears.

totally off topic I know but I hate how they get away with it.


All the more reason to invest in them I guess. Looks like they learned from their mistake - don't rely on people that cannnot obligate debts.

I'm wondering about the others also, but I use pnc and it doesn't save any logins from what i see as I have to login each time, unknown what it puts on the disk itself though

“Most consumers and app developers don't know what is happening in their apps, because it is moving so fast. Apps are proliferating so quickly. We will see more and more of this."

People are very naive. I'm always surprised by the 'cutting edge' enthusiasts and how quick they are to put all of their faith in technology when they have no idea what's going on under the hood. Unfortunately, I think this will get worse before it gets better.