'Tens of millions' exposed to hackers by banking app security flaw

Exploits in HSBC, Natwest, and Co-op apps would allow hackers to steal user credentials

Researchers have discovered and patched a critical flaw in some of the most popular mobile banking apps that could potentially leave tens of millions of customers vulnerable to hackers.

A scan of more than 400 iOS and Android mobile apps revealed that products offered by HSBC, Natwest, Co-op, and other leading banks were able to be manipulated into exposing a user's sensitive data.

The study, conducted by the University of Birmingham, found that any hackers connected to the same network as the mobile app, like public WiFi or a corporate network, could perform a so-called 'man in the middle' attack and redirect communications between the provider and customer in order to steal credentials.

It's thought that collectively the affected apps could have left tens of millions of users exposed to a potential hack.

Advertisement - Article continues below

A team from the university has been working on a new automated security tool known as 'Spinner' that's able to detect a lack of certificate hostname verification on security-sensitive applications. A technique called "certificate pinning", which normally improves security, made it more difficult to spot the vulnerability through routine checks.

The flaw was so severe that, if exploited, it would have allowed a hacker to view and modify traffic to and from the application, granting the ability to perform any action that is normally possible on the app.

"In general, the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed," said Dr Tom Chothia, a member of the security and privacy group at the University of Birmingham.

"It's impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network".

Disclosure of the vulnerabilities to the banks were made between mid-2015 and mid-2017, but the researchers delayed publication of their research at the banks' request to minimise impact on customers while the banks fixed or removed their apps.

Vulnerabilities were also found in Santander and Allied Irish Bank mobile apps, including "in-app phishing" attacks that would allow a hacker to take control over part of a user's screen while they were in the app and use this to phish for login credentials.

The research team worked alongside the affected banks and the National Cyber Security Centre to fix all the discovered vulnerabilities, and all current versions of the applications are now secure. HSBC was first notified in May this year, and subsequently worked to fix the vulnerability, according to a statement to IT Pro.

Dr Flavio Garcia, who also worked on the Spinner tool, said: "Certificate pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification."

Given a general tightening of security in the banking sector following the hack affecting users of the Swift banking messaging service in February last year, hackers are turning to more invisible means of stealing data. For example, a new strain of malware discovered in July by Kaspersky Lab was found targeting users by placing a key-logging tool inside legitimate banking applications that would steal credentials once they were entered.

Ilia Kolochencko, CEO of web security company High-Tech Bridge, said: "As much independent research continuously demonstrates, most of the mobile apps for any platforms are insecure and vulnerable, and have been for many years. This can be explained by a lack of experienced developers, a careless attitude towards mobile application security in many organisations and the relative complexity of practical exploitation of mobile app flaws.

Advertisement - Article continues below

"While many companies do not even consider protecting the mobile backend with a WAF (firewall), believing that it is unnecessary, mobile apps are just the tip of the iceberg."

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now

Most Popular

identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019

Five signs that it’s time to retire IT kit

29 Nov 2019

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019