Recently the Wall Street Journal published an article about a new security flaw found in the PayPal iPhone application.

Paypal, a popular internet-payment company, launched an iPhone application six months prior that would allow users to receive and send funds from their iPhone. Unfortunately, PayPal failed to test sufficiently and didn’t verify that the phone was communicating directly with PayPal’s servers. This issue created the opportunity for a hacker to redirect traffic to his or her own server and trick the user into giving the user’s account information.  Of course, this information could then be used to access the victim’s credit cards and bank accounts.
There are two lessons we can learn from PayPal’s unfortunate mishap and the resulting circumstances:

1. Always keep software up-to-date. There are up to 4 million people around the world using this vulnerable application on their phone. That’s up to 4 million people who will all have to update their iPhones and initiate an upgrade to this app before this vulnerability goes away.  With a user base that large, it will be a long time before this vulnerability disappears. But a user that keeps software up-to-date can become immune to the vulnerability today. It is important that companies and users alike put priority on staying up-to-date to avoid falling prey to a security vulnerability.
2. If your information is valuable and critical to your company’s mission, have security professionals periodically test your environment and applications.  Looking for security weaknesses and vulnerabilities is a difficult job and requires a very specialized skill. This is one of the many services within the LBMC family.  [LBMC Assessment Services]. This particular vulnerability wasn’t found by PayPal’s developers or quality analysts. It was found by IT security researchers. Don’t leave security testing up to your own resources—a specialized knowledge is essential in an industry that evolves as quickly as information security. What kept a person safe in a car 10 years ago—a seatbelt and airbag—still keeps that person safe in their car today. What kept a computer safe 10 years ago is laughable in a conversation about protecting information today.

According to Paypal, no known cases of identity theft have occurred as a result of this vulnerability to date. I certainly hope that is correct and that it stays that way. But even though Paypal says that the problem has been resolved now (or at least it seems to have been resolved), it can have a lasting negative effect on the company’s growth potential into the mobile phone market—or even the general market—for years to come.