Major security flaw found in banking apps puts millions of customers at risk


A flaw in several major banking apps has been discovered by scientists which could potentially put millions of customers at risk from hackers who are exploiting WiFi.

The researchers ran a tool on several banking apps including HSBC, NatWest, Santander, Bank of America and Co-op banks and discovered that criminals would be able to deceive the apps and their associated software into revealing personal details.

The team at the University of Birmingham said that it is unclear whether customers were hacked as a direct result of the flaw that has now been patched, Threat Post reported.

The attack which is sometimes known as the Janus Attack, involves secretly relaying and then altering communications between two parties who believe that they are communicating directly.

The problem was connected to something called “certificate pinning” and is used by many of the major banking apps and usually improves security but it seems that it can also mask vulnerabilities from routine checks.

During the research, other potential attacks were also discovered, including “in-app phishing attacks” against Santander and Allied Irish Banks.

These types of attack let hackers take over part of the screen whilst the app is running and are then capable of phishing for the victim’s login details.

In addition to working with the banks, the UK’s National Cyber Security Centre also helped fix all the vulnerabilities and all the current apps are secure from the pinning vulnerability.

Dr Tom Chothia, who led the research, said: “It’s impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network.”

His colleague, Dr Flavio Garcia, said: “Certificate Pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification.”

Source: University of Birmingham


Comments are closed.