17 January 2018
visit www.avoka.com

Banking app flaw left customers open to hacking attack

07 December 2017  |  7586 views  |  0 Business man using Smartphone

Researchers at Birmingham University have been working with UK banks and the Government's National Cyber Security Centre to fix a flaw in banking apps that could have left millions of customers vulnerable to fraudulent hacks.

The Brimingham Uni team ran a security testing tool on mobile banking apps from HSBC, NatWest, Co-op and others and uncovered a security hole which allowed an attacker using the same network as the victim to perform a Man in the Middle takeover and retrieve usernames, passwords and PIN codes.

The fault lay in the common use of 'certificate pinning', which normally improves security but in this instance hid the bug from standard security testing.

Dr Flavio Garcia, a member of the research team, says: "Certificate Pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification"

Other weak links were also found, including "in app phishing attacks" against Santander and Allied Irish bank which could have let an attacker take over part of the screen while the app is running and use this to phish for the victim's login credentials.

Having reported the security holes to the banks involved, the researchers say that all current versions of the apps affected are now secure and stress the importance to customers of installing upgrades as soon as they are offered.

However, one of the issues highlighted by the research is that users of older Apple devices, that are restricted to older iOS versions, can't pick up any updates once the app developer moves the minimum OS version for the app beyond the earlier devices.

Winston Bond, technical director Emea at mobile app security firm Arxan says: "For users the best advice is to keep as up-to-date as they can. RBS and Natwest customers with the same old Apple device that the researchers used - probably a 1st generation iPad, which is limited to iOS 5.1.1 - should probably think about using something else for their banking. At the very least, they should be wary of public WIFI networks."

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

TD Bank opens Israel cybersecurity office; injects AI into mobile app

TD Bank opens Israel cybersecurity office; injects AI into mobile app

04 October 2017  |  7059 views  |  0 comments | 4 tweets | 4 linkedin
FS firms riddled with poor code

FS firms riddled with poor code

10 March 2017  |  6656 views  |  0 comments | 12 tweets | 10 linkedin
Consumer trust in banking security misplaced - Capgemini

Consumer trust in banking security misplaced - Capgemini

03 February 2017  |  10198 views  |  5 comments | 25 tweets | 32 linkedin
Android malware targets bank and social media apps

Android malware targets bank and social media apps

04 November 2016  |  14342 views  |  1 comments | 18 tweets | 21 linkedin
Journalists expose NatWest mobile security flaws

Journalists expose NatWest mobile security flaws

04 March 2016  |  15010 views  |  2 comments | 12 tweets | 10 linkedin

Related blogs

Create a blog about this story (membership required)
visit www.niceactimize.comvisit www.fivedegrees.nlvisit www.capgemini.com

Top topics

Most viewed Most shared
Buffett rubbishes cryptocurrencies; South Korea preps exchange crackdownBuffett rubbishes cryptocurrencies; South...
11560 views comments | 15 tweets | 17 linkedin
BNP Paribas Asset Management completes fund transaction blockchain testBNP Paribas Asset Management completes fun...
10168 views comments | 14 tweets | 33 linkedin
Europe begins Open Banking era in subdued styleEurope begins Open Banking era in subdued...
9619 views comments | 32 tweets | 34 linkedin
Crypto mining threatened by power capacity concernsCrypto mining threatened by power capacity...
9483 views comments | 17 tweets | 18 linkedin
Exchanges call for global fintech standardsExchanges call for global fintech standard...
9205 views comments | 17 tweets | 13 linkedin

Featured job

Competitive base + commission + benefits
London, UK

Find your next job