Banking app flaw discovered, potentially putting millions at risk

7 Dec 2017

A vulnerability was detected in the apps of major financial institutions. Image: Sata Production/Shutterstock

Significant flaw discovered in prominent banking apps, raising security concerns.

University of Birmingham researchers found a major vulnerability in banking apps during a recent test of 400 security-critical apps. Apps from major financial institutions, including NatWest, Bank of America Health and HSBC, all exhibited the same vulnerability.

It allowed the attacker, who is connected to the same network as the victim (whether that’s public or corporate Wi-Fi), to perform a man-in-the-middle attack and retrieve credentials such as a username and a pin code.

Although the researchers found that the banks had put a lot of time and effort into ensuring their apps were secure, the issue was with one particular technology known as ‘certificate pinning’, a practice that meant standard tests failed to find a serious loophole that could allow attackers to access a victim’s online banking.

If enabled, the vulnerability could have enabled the attacker to decrypt, view and modify network traffic from app users, allowing the attackers to perform any operation usually available on the app.

Another attack flagged by the researchers was ‘in-app phishing’, which AIB and Santander had been vulnerable to. These particular attacks would have allowed for a bad actor to take over part of the screen and use this to phish for login credentials.

Update your apps

The researchers worked with all affected banks and the UK National Cyber Security Centre to fix the vulnerabilities, and the current versions of all the apps are now secure. It is recommended that banking app users ensure they are running the most recent update of the app, and people should be swift to install the newest versions as they roll out.

Dr Tom Chothia, Dr Flavio Garcia and Phd candidate Chris McMahon Stone carried out the research, and are all members of the Security and Privacy Group at the University of Birmingham.

Chothia said: “In general, the security of the apps we examined was very good, the vulnerabilities we found were hard to detect and we could only find so many weaknesses due to the new tool we developed.”

He added: “It’s impossible to tell if these vulnerabilities were exploited but if they were, attackers could have got access to the banking app of anyone connected to a compromised network.”

Garcia said that although certificate pinning is a good technique, it made it hard for penetration testers to identify the more pressing issue of a lack of hostname verification.

McMahon Stone added: “As this flaw is generally difficult to detect from normal analysis techniques, we have developed a detection tool that is semi-automated and easy to operate. This will help developers and penetration testers ensure their apps are secure against this attack.”

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects