'Tens of millions' exposed to hackers by banking app security flaw

Exploits in HSBC, Natwest, and Co-op apps would allow hackers to steal user credentials

Researchers have discovered and patched a critical flaw in some of the most popular mobile banking apps that could potentially leave tens of millions of customers vulnerable to hackers.

A scan of more than 400 iOS and Android mobile apps revealed that products offered by HSBC, Natwest, Co-op, and other leading banks were able to be manipulated into exposing a user's sensitive data.

Advertisement - Article continues below

The study, conducted by the University of Birmingham, found that any hackers connected to the same network as the mobile app, like public WiFi or a corporate network, could perform a so-called 'man in the middle' attack and redirect communications between the provider and customer in order to steal credentials.

It's thought that collectively the affected apps could have left tens of millions of users exposed to a potential hack.

A team from the university has been working on a new automated security tool known as 'Spinner' that's able to detect a lack of certificate hostname verification on security-sensitive applications. A technique called "certificate pinning", which normally improves security, made it more difficult to spot the vulnerability through routine checks.

The flaw was so severe that, if exploited, it would have allowed a hacker to view and modify traffic to and from the application, granting the ability to perform any action that is normally possible on the app.

Advertisement - Article continues below
Advertisement - Article continues below

"In general, the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed," said Dr Tom Chothia, a member of the security and privacy group at the University of Birmingham.

"It's impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network".

Disclosure of the vulnerabilities to the banks were made between mid-2015 and mid-2017, but the researchers delayed publication of their research at the banks' request to minimise impact on customers while the banks fixed or removed their apps.

Vulnerabilities were also found in Santander and Allied Irish Bank mobile apps, including "in-app phishing" attacks that would allow a hacker to take control over part of a user's screen while they were in the app and use this to phish for login credentials.

Advertisement - Article continues below

The research team worked alongside the affected banks and the National Cyber Security Centre to fix all the discovered vulnerabilities, and all current versions of the applications are now secure. HSBC was first notified in May this year, and subsequently worked to fix the vulnerability, according to a statement to IT Pro.

Dr Flavio Garcia, who also worked on the Spinner tool, said: "Certificate pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification."

Given a general tightening of security in the banking sector following the hack affecting users of the Swift banking messaging service in February last year, hackers are turning to more invisible means of stealing data. For example, a new strain of malware discovered in July by Kaspersky Lab was found targeting users by placing a key-logging tool inside legitimate banking applications that would steal credentials once they were entered.

Advertisement - Article continues below

Ilia Kolochencko, CEO of web security company High-Tech Bridge, said: "As much independent research continuously demonstrates, most of the mobile apps for any platforms are insecure and vulnerable, and have been for many years. This can be explained by a lack of experienced developers, a careless attitude towards mobile application security in many organisations and the relative complexity of practical exploitation of mobile app flaws.

"While many companies do not even consider protecting the mobile backend with a WAF (firewall), believing that it is unnecessary, mobile apps are just the tip of the iceberg."

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most malware came through HTTPS connections in Q1 2020

25 Jun 2020

Phishing attacks target unsuspecting Wells Fargo customers

24 Jun 2020

Trump administration wants to enhance the security of .gov sites

24 Jun 2020

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020