ARCHIVES: This is legacy content from before Industry Dive acquired Mobile Commerce Daily in early 2017. Some information, such as publication dates, may not have migrated over. Check out our topic page for the latest mobile commerce news.

What does Citi iPhone app security flaw mean for mobile banking?

Citigroup Inc. responded quickly to correct a security flaw in its mobile banking application for iPhone, and the problem seems to be an isolated incident, not an alarming trend.

Citi emailed its 117,600 customers who have downloaded the iPhone application, asking them to upgrade to the newest version to correct the flaw and claiming that no personal data was actually leaked. While this incident raised eyebrows and called attention to applications’ security issues, mFoundry, provider of the platform on which Citi based its application, maintains that mobile banking is in fact more secure than online or card-based financial services.

“This was a situation where we delivered code to them, and Citi took the code and put more code into it and made the final checks on it and released it, not using mFoundry mobile banking code, using custom code that we wrote and custom code that they wrote,” said Drew Sievers, cofounder/CEO of mFoundry, San Francisco.

“Unfortunately Citi’s custom solution had a problem, but they’ve resolved it—it was a pretty quick fix, and there was no breach in client information,” he said. “They were just being proactive and resolving a potential issue, and the security flaw is not common at all—it was a total anomaly.

“The problem stemmed from the fact that we were combining all of these different code bases, but we support a couple hundred different devices for Citi and this issue has never arisen on any of those.”

Was Citi sleeping?
While unfortunate, Mr. Sievers said that he thought Citi handled the situation as well as it could.

“It’s a situation that shouldn’t have happened, but Citi quickly dealt with it,” Mr. Sievers said. “A lot of the security guys have been clear that there was no real risk of someone getting this information.

“Citi was very proactive in addressing it,” he said.

Here is the official statement released by Citi in response to its application’s security flaw:

During a recent review, we discovered that our U.S. Citi Mobile iPhone banking app was accidentally saving information related to customer accounts in a hidden file on their iPhones.

This information may also have been saved on their computer if they had been synchronizing their iPhone with their computer via iTunes.

We have released an update of our Citi Mobile iPhone banking app that corrects the problem.

This update deletes any Citi Mobile information that may have been saved to their iPhone or computer, and it eliminates the possibility that this will occur in the future.

We are communicating with our customers who downloaded the app to tell them about the update.

Only the U.S. Citi Mobile iPhone(r) banking app is affected. The iPhone(r) app for Citi credit card customers is not affected. Citi’s other mobile services are not affected.

We have no reason to believe that our customers’ personal information has been accessed or used inappropriately by anyone, i.e., there has been no data breach.

Again, there has been no data breach and a relatively small number of our customers were affected compared to our total retail bank customer base.

We’re being as open and transparent with our customers as possible to avoid confusion or concern on their part.

The type of information being logged was very basic account and transaction data that many individuals may already store on their computers.

We’ve already released a fix.

When our customers launch the app update on their iPhone, it deletes any Citi Mobile information that may have been saved on that phone or their computer and eliminates the possibility that this will occur in the future.

Mobile banking best practices
Financial institutions and mobile service providers must be ever-vigilant when it comes to security, and many vendors offer platforms and services to increase mobile security.

For example, BIO-key International has unveiled a mobile biometric identification and authentication mobility platform that lets enterprises capture and transmit biometric fingerprint data to a secure server for identity and authentication of smartphone, laptop, tablet and desktop users.

While focusing on security is important, the mobile space does not face challenges that are above and beyond what financial institutions face in other media such as the PC Internet and physical cards.

Consumer adoption of mobile banking continues to grow steadily and mobile financial services will soon be considered mainstream.

Whatever the medium, banks and other financial institutions have an obligation to keep their customers educated and in the know, as Citi appeared to do in this case.

“From a business perspective, mobile banking security is naturally going to become a growing concern as more financial institutions offer it, and more consumers adopt it,” said Red Gillen, senior analyst at Celent, Boston. “In general, banks have been paying a great deal of attention to mobile banking security.

“Because of this, only two mobile banking security issues have come to light in the public domain: the recent Citi iPhone app flaw and a phishing site disguised as a First Tech Credit Union Android app last year,” he said.

“Stories like these will likely serve to increase the priority of banks’ mobile security efforts, as well as increase consumers’ awareness of potential mobile security issues — neither of which is necessarily a bad thing.”

Final Take
Dan Butcher, associate editor, Mobile Commerce Daily