Skip to content

Citi proves it’s time for mobile code reviews

2010 July 27
citibank iPhone application from mFoundry

Banks must do better code reviews

The recent Citibank mobile banking security flaw is further evidence that organizations must do more thorough security due diligence.

Code level security reviews apparently discovered and fixed the Citi flaw. The lack of thoroughness in these reviews is what allowed the flaw to get into customer hands in the first place.

I’ve been through many dozens of security reviews with banks and other organizations throughout my career. Unfortunately, I’ve generally seen less due diligence in mobile banking than with more mature and less risky analytics products.

I used to work at mFoundry, the company that provided mobile banking software to Citi. How the flaw got into the code is unclear. I also used to work for analytics & customer experience management provider Tealeaf Technology.

In my experience, the security reviews at banks for Tealeaf were much more detailed than reviews of mobile banking software from any number of vendors. (I am not speaking about mFoundry in particular, but the industry as a whole).

To be clear, mobile banking is safe. Institutions are doing due diligence. My point is that security teams seem to be able to push for deeper security reviews on less visible projects. Similar due diligence will make mobile banking even safer.

Tealeaf is a more mature technology than any mobile solution and by its technical nature presents far less risk. Mobile banking does get security reviews at banks, but they don’t seem to be at the same level.

For example, I have always tried to understand how banks approved one widely used mobile banking software vendor to manage a separate mobile PIN that allows access to data at multiple institutions and stores the data outside a financial institution. Meanwhile the very same security staff take years to approve management software like Tealeaf to operate within a secure area of their institution for select employee usage.

One explanation would be that schedule pressure to get mobile banking in place is overriding the needs of security team. Projects that come into institutions with less of an executive mandate and tight deadlines for product announcement give security teams more ability to say “Stop”.

Many mobile banking vendors are small companies with little banking or financial services experience. In my opinion, big banks should do line by line code reviews of every release of software from small vendors that will handle customer data. Smaller institutions not wanting to go to this expense, should demand that vendors provide references at larger institutions that have done such a review.

To be clear, mobile banking is safe. Institutions are doing due diligence. My point is that security teams seem to be able to push for deeper security reviews on less visible projects. Similar due diligence will make mobile banking even safer.

Bank security teams must be allows to do thorough security reviews on every product that interacts with customer data.

Be Sociable, Share!
No comments yet

Leave a Reply

Note: You can use basic XHTML in your comments. Your email address will never be published.

Subscribe to this comment feed via RSS