Account numbers and access codes improperly stored on handsetsCitigroup, one of the largest financial services companies in the world, has released a new version of its U.S. mobile banking application for the iPhone in order to resolve a security flaw. The issue involved customers' account and payment information being saved in a hidden file on the device.
The Citi Mobile app for iPhone allows customers to perform a variety of online banking tasks like transfering funds, paying bills or making credit card or bank account balance inquiries. The application was launched on Apple's App Store in March 2009 and currently has almost 118,000 registered users.
It seems that due to a design flaw, the Citi Mobile app stored information that it shouldn't have in a hidden local file. Furthermore, this file might have been copied to customers' computers as well during the iPhone synching process. The data saved included account numbers, bill payment details and even access codes.
However, despite the seriousness of the incident, Citi doesn't believe any data was misused. "We have no reason to believe that our customers' personal information has been accessed or used inappropriately by anyone," the company said in a statement to The Wall Street Journal.
The issue was apparently discovered during a routine security review and the company is unsure as to why the problem was not detected before the application was originally launched, when it was subjected to thorough testing. Citi Mobile users are strongly advised to upgrade to version 2.0.3 released last week, which will also delete the data files created on handsets and computers by the previous insecure variants.
"There will undoubtedly be concerns that if users lost their iPhone the information could be accessed by an identity thief. […] The good news is that the iPhone has a pretty slick system for notifying users that there is an update available for their installed apps, meaning it should only take a couple of clicks for users to upgrade their version of the Citi Mobile app to a more secure version," Graham Cluley, senior technology consultant at Sophos, commented.
You can follow the editor on Twitter @lconstantin