A new security flaw has been discovered that puts 10 million banking app users at risk with the flaw affecting apps from HSBC, NatWest, Co-op and Bank of America Health.
The flaw was found by researchers from the University of Birmingham through their tool that is capable of performing semi-automated security testing of mobile phone apps. The team ran their tool on a sample of 400 security critical apps and found a critical vulnerability in banking apps that affects millions of users.
According to researchers the vulnerability is a critical one as it enables any user on the same network (e.g., public WiFi or corporate) as the victim to perform a so called “Man in the Middle Attack” and retrieve the user’s credentials such as username and password/pin code.
The researchers found that the banks had put a lot of effort into the security of their apps, however one particular technology used – so called “certificate pinning” – which normally improves security, had meant that standard tests failed to detect a serious vulnerability that could let attackers take control of a victim’s online banking.
The tests found that apps from some of the largest banks in the world contain this flaw, which if exploited, could have enabled an attacker to decrypt, view and modify network traffic from users of the app. An attacker with this capability could thereby perform any operation which is normally possible on the app.
Other attacks were also found, including “in app phishing attacks” against Santander and Allied Irish bank. These attacks would have let an attacker take over part of the screen while the app is running and use this to phish for the victim’s login credentials.
The researchers worked with the banks involved, and the UK government’s National Cyber Security Centre to fix all the vulnerabilities, and the current versions of all the apps affected by this pinning vulnerability are now secure.
The researchers recommend that all users of banking apps ensure that they are always using the most recent version of the app, and that they always install upgrades as soon as they are offered.