Crisis Averted, For Now

On July 20, 2010 Citi sent a letter to 117,600 customers that use Citi’s Mobile iPhone banking app of a security flaw. The customers were advised to upgrade to a new version that was released the previous day to prevent their personal banking information including security codes from potential retrieval by malicious apps.

Citibank Mobile Banking App

“During a recent review, we discovered that our U.S. Citi Mobile iPhone banking app was accidentally saving information related to customer accounts in a hidden file on their iPhones,” said Citibank spokeswoman Natalie Riper. “This information may also have been saved on their computer if they had been synchronizing their iPhone with their computer via iTunes.”

According to the Wall Street Journal, Citi performed security tests before and after release of the app, but failed to detect the problem. The bank is looking into why they didn’t find the vulnerability sooner.

“We have no reason to believe that our customers’ personal information has been accessed or used inappropriately by anyone, i.e., there has been no data breach,”

While it is unclear how long Citi knew of the app’s problem, they clearly had time to address the issue and have new security measures coded into the newest version of the app before news of the issue hit the media or before a data breach. Crisis averted, for now.

With an estimated 10 million users of mobile banking services, this incident should serve as a warning signal of potential crises to other financial institutions that offer mobile banking apps.

John Hering, CEO of Lookout, a mobile security provider said, “Most consumers and app developers don’t know what is happening in their apps, because it’s moving so fast. Apps are proliferating so quickly. We will see more and more of this.”