Did Citi handle the iPhone app security flaw in the right manner?
Following up on the article about the Citi iPhone application, I would like to give my point of view on this topic.
But first, let us quote Mobile Commerce Daily associate editor Dan Butcher in his story titled “What does Citi iPhone app security flaw mean for mobile banking?” (see story):
“Citigroup Inc. responded quickly to correct a security flaw in its mobile banking application for iPhone, and the problem seems to be an isolated incident, not an alarming trend.
Citi emailed its 117,600 customers who have downloaded the iPhone application, asking them to upgrade to the newest version to correct the flaw and claiming that no personal data was actually leaked. While this incident raised eyebrows and called attention to applications’ security issues, mFoundry, provider of the platform on which Citi based its application, maintains that mobile banking is in fact more secure than online or card-based financial services.”
Citi never leaks
The real understory here is the actual problems linked to managing this kind of issues when it comes to native mobile applications.
In this case, Citi has no other choice than revealing what happened as the customer needs to know why the application needs to be updated.
Banks have ecommerce issues and always have, but they usually prefer to control the message and manage it internally. It is about the integrity of the system and making sure no one exploits security flaws.
The other problem is related to time-to-response. It may have taken only a few hours to fix and rebuild the application, but the new version still needs to go through the Apple approval process before being made available to all clients.
And now Citi is at the mercy of customers to actually update their application to protect themselves.
However, not everyone accesses the Apple App Store everyday and it could take months before all customers update their application. During this period, Citi and its customers are exposed and now that the problem is known to the public, even more people could exploit it.
Think long term
Mobile banking makes sense and must be part of banks’ offers.
As banks rid themselves of their usual shyness to integrate new technologies, they are also moving heads down into these trivial issues. It shows a lack of long-term evaluation. And they give away control and responsibility to the App Store.
Even if banks make their applications more secure, this does not remove the issues mentioned above. And I am not even mentioning all the problems related to managing different versions for different operating systems and versions of operating systems just multiplying the risk of having a hidden file mishandled.
The real question, except for the marketing angle, is the native application the best or the right answer for mobile banking based on the key issues outlined above?
The answer is staring banks right in the face, no it is not.
Banks must retain control over the update process. They must have a rapid answer to issues linked to mobile commerce and they must make sure all clients are using the latest version of their mobile commerce solution.
Francis Beaulieu is director of mobile product at Source Evolution, Montreal, Quebec, Canada. Reach him at [email protected].