Citigroup Upgrades Careless iPhone Banking App
Sensitive personal banking information was basically left lying around due to a flaw in Citigroup's iPhone app. The bank maintains that no one suffered any loss and that there was no "data breach," even though anyone who picked up an iPhone using the app -- or a computer that had been synched with it -- could have accessed "secret" files containing the information. Citi has released a secure upgrade.
07/27/10 10:12 AM PT
Citigroup customers who do mobile banking on an iPhone should head to the Apple App Store immediately for an upgrade.
A flaw in the Citigroup mobile banking iPhone app released in March 2009 causes personal information to be saved in a hidden file on the mobile device, the banking giant revealed in a letter to customers dated July 20, a day after it released an upgraded application.
Without the upgrade, customers' personal data -- including account numbers, bill payment information and access codes -- is saved on the iPhone. This data also may be saved on customers' computers when synched with their iPhones using iTunes, Citigroup said.
'No Data Breach'
Roughly 117,000 of Citgroup's estimated 800,000 mobile banking customers are believed to have been impacted by the flaw, but the company contends no customers suffered a financial loss because of the glitch.
"We have no reason to believe that our customers' personal information has been accessed or used inappropriately by anyone," Natalie Riper, a Citigroup spokesperson, told MacNewsWorld. "In other words, there has been no data breach."
Even if no Citigroup customers suffered financial harm, this incident highlights the growing need for security around mobile devices as more users rely on smartphones to do everything from managing email to organizing their finances.
Secure Your Devices
The Citi Mobile app, which ranks 11th in popularity in the Apple App Store's finance category, allows customers to check account balances, transfer funds and pay bills.
If that type of information were saved on an iPhone -- or any other mobile device -- it would be easily accessible to anyone who picked up the device, according to Jamz Yaneza, threat research manager at Trend Micro.
"Any device is a potential target [for people looking to steal personal data] when you consider how much data people store on them these days," Yaneza told MacNewsWorld. "You have banking apps, browsing history, office documents, emails, pictures and notes being stored on mobile devices. That's a treasure trove in the wrong hands."
Read the Fine Print
Keeping data from traveling from your mobile device into the wrong hands requires the same attention to security that users generally give to desktop and laptop computers, Yaneza declared.
"There are many things users can do to protect their mobile devices, and most of them are common sense," he said.
First, turn on the device lock. "That's why it's there," he admonished. Second, recognize what content is in your device, and "treat that content as if you were carrying it in your wallet instead of your mobile device. If it's important, don't leave it lying around."
Finally, be careful about the applications you install, even if they come from trusted sources like your bank, Yaneza advised.
"Before running a banking application, make sure your financial institution guarantees privacy and the same loss protection that comes with traditional online or teller transactions," he said. "Read the application's fine print."