Banking app flaw left customers open to hacking attack
07 December 2017 | 7586 views | 0
Researchers at Birmingham University have been working with UK banks and the Government's National Cyber Security Centre to fix a flaw in banking apps that could have left millions of customers vulnerable to fraudulent hacks.
The Brimingham Uni team ran a security testing tool on mobile banking apps from HSBC, NatWest, Co-op and others and uncovered a security hole which allowed an attacker using the same network as the victim to perform a Man in the Middle takeover and retrieve usernames, passwords and PIN codes.
The fault lay in the common use of 'certificate pinning', which normally improves security but in this instance hid the bug from standard security testing.
Dr Flavio Garcia, a member of the research team, says: "Certificate Pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification"
Other weak links were also found, including "in app phishing attacks" against Santander and Allied Irish bank which could have let an attacker take over part of the screen while the app is running and use this to phish for the victim's login credentials.
Having reported the security holes to the banks involved, the researchers say that all current versions of the apps affected are now secure and stress the importance to customers of installing upgrades as soon as they are offered.
However, one of the issues highlighted by the research is that users of older Apple devices, that are restricted to older iOS versions, can't pick up any updates once the app developer moves the minimum OS version for the app beyond the earlier devices.
Winston Bond, technical director Emea at mobile app security firm Arxan says: "For users the best advice is to keep as up-to-date as they can. RBS and Natwest customers with the same old Apple device that the researchers used - probably a 1st generation iPad, which is limited to iOS 5.1.1 - should probably think about using something else for their banking. At the very least, they should be wary of public WIFI networks."