Monday, August 02, 2010

My penny's worth on the Citi App "disaster".

Judging from the number of tweets and the volume of articles about the Citibank iPhone application recall, this was the news-item of the month. I think that it got more attention than the floods in Pakistan where people were killed. It should therefore be classified as a "disaster". (Read here, here, here and here, for a small sample). "

" careful about the applications you install, even if they come from trusted sources.." one "expert" is quoted as saying. Life has just become seriously complex, when you can't even trust, trusted sources on your mobile. I made quite an effort to attempt to get to the bottom of this "massive" security breach, but was unable to understand the issue. Even if some of the transactional data were stored on hidden files on the device, how accessible is it, and how easily can it be used maliciously? This was not clear. Just to make the point, lets assume that the invoice-numbers of the bills that you have paid was stored on your phone. If some-one were to get his hands on these numbers, this would enable them to... pay your bills? Great! Anyhow, many of these numbers are much more in the clear in other formats: for instance in the mail (stored underneath a flimsy piece of envelope paper).

I am sure that the Citibank security officer is very good and diligent, but we must be careful that his/her paranoia does not effect a whole industry. While I am absolutely in support of a save industry and many of my postings on this blog support this, one should also guard against over-reactions of things that are non-events.

It seemed to me that one should be more worried about the fact that banks print one's credit card number on a plastic card that could also be lost. This critical information is stored in clear, unencrypted data for all to see....

1 comment:

Anonymous said...

If I wanted to pretend to be you, and needed some form of your ID to prove I was you, it would be easier for me to use the details stored on your phone to contact your utility provider, demontstate who I was, and then have them bill you at a new address (mine). Then I can open a bank account with a utility bill.

Yes, an envelope is more flimsy, but I'd have to get a job in the post office to intercept it between the utility company and your house, that's quite tricky.