19 March 2018
visit www.nextgenbanking.co.uk

Banking app flaw left customers open to hacking attack

07 December 2017  |  7924 views  |  0 Business man using Smartphone

Researchers at Birmingham University have been working with UK banks and the Government's National Cyber Security Centre to fix a flaw in banking apps that could have left millions of customers vulnerable to fraudulent hacks.

The Brimingham Uni team ran a security testing tool on mobile banking apps from HSBC, NatWest, Co-op and others and uncovered a security hole which allowed an attacker using the same network as the victim to perform a Man in the Middle takeover and retrieve usernames, passwords and PIN codes.

The fault lay in the common use of 'certificate pinning', which normally improves security but in this instance hid the bug from standard security testing.

Dr Flavio Garcia, a member of the research team, says: "Certificate Pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification"

Other weak links were also found, including "in app phishing attacks" against Santander and Allied Irish bank which could have let an attacker take over part of the screen while the app is running and use this to phish for the victim's login credentials.

Having reported the security holes to the banks involved, the researchers say that all current versions of the apps affected are now secure and stress the importance to customers of installing upgrades as soon as they are offered.

However, one of the issues highlighted by the research is that users of older Apple devices, that are restricted to older iOS versions, can't pick up any updates once the app developer moves the minimum OS version for the app beyond the earlier devices.

Winston Bond, technical director Emea at mobile app security firm Arxan says: "For users the best advice is to keep as up-to-date as they can. RBS and Natwest customers with the same old Apple device that the researchers used - probably a 1st generation iPad, which is limited to iOS 5.1.1 - should probably think about using something else for their banking. At the very least, they should be wary of public WIFI networks."

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

TD Bank opens Israel cybersecurity office; injects AI into mobile app

TD Bank opens Israel cybersecurity office; injects AI into mobile app

04 October 2017  |  7313 views  |  0 comments | 4 tweets | 4 linkedin
FS firms riddled with poor code

FS firms riddled with poor code

10 March 2017  |  6761 views  |  0 comments | 12 tweets | 10 linkedin
Consumer trust in banking security misplaced - Capgemini

Consumer trust in banking security misplaced - Capgemini

03 February 2017  |  10384 views  |  5 comments | 25 tweets | 32 linkedin
Android malware targets bank and social media apps

Android malware targets bank and social media apps

04 November 2016  |  14450 views  |  1 comments | 18 tweets | 21 linkedin
Journalists expose NatWest mobile security flaws

Journalists expose NatWest mobile security flaws

04 March 2016  |  15128 views  |  2 comments | 12 tweets | 10 linkedin

Related blogs

Create a blog about this story (membership required)
Visit www.nextgenbanking.co.ukVisit www.facebook.com/business/Visit www.vasco.com

Top topics

Most viewed Most shared
Can banks be a threat to Big Tech?Can banks be a threat to Big Tech?
9058 views comments | 28 tweets | 39 linkedin
Indian fintech sector needs regulatory support to flourishIndian fintech sector needs regulatory sup...
8474 views comments | 9 tweets | 8 linkedin
BIS warns central banks on digital currency issuanceBIS warns central banks on digital currenc...
7244 views comments | 18 tweets | 17 linkedin
Barclays propels Coinbase into Faster PaymentsBarclays propels Coinbase into Faster Paym...
7192 views comments | 15 tweets | 29 linkedin
AI augmenting compliance processesAI augmenting compliance processes
6937 views comments | 3 tweets | 5 linkedin

Featured job

Six-Figure-Base, Double OTE, Benefits Package
London, UK

Find your next job