'Tens of millions' exposed to hackers by banking app security flaw

Exploits in HSBC, Natwest, and Co-op apps would allow hackers to steal user credentials

Researchers have discovered and patched a critical flaw in some of the most popular mobile banking apps that could potentially leave tens of millions of customers vulnerable to hackers.

A scan of more than 400 iOS and Android mobile apps revealed that products offered by HSBC, Natwest, Co-op, and other leading banks were able to be manipulated into exposing a user's sensitive data.

The study, conducted by the University of Birmingham, found that any hackers connected to the same network as the mobile app, like public WiFi or a corporate network, could perform a so-called 'man in the middle' attack and redirect communications between the provider and customer in order to steal credentials.

It's thought that collectively the affected apps could have left tens of millions of users exposed to a potential hack.

Advertisement - Article continues below
Advertisement - Article continues below

A team from the university has been working on a new automated security tool known as 'Spinner' that's able to detect a lack of certificate hostname verification on security-sensitive applications. A technique called "certificate pinning", which normally improves security, made it more difficult to spot the vulnerability through routine checks.

The flaw was so severe that, if exploited, it would have allowed a hacker to view and modify traffic to and from the application, granting the ability to perform any action that is normally possible on the app.

"In general, the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed," said Dr Tom Chothia, a member of the security and privacy group at the University of Birmingham.

"It's impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network".

Disclosure of the vulnerabilities to the banks were made between mid-2015 and mid-2017, but the researchers delayed publication of their research at the banks' request to minimise impact on customers while the banks fixed or removed their apps.

Vulnerabilities were also found in Santander and Allied Irish Bank mobile apps, including "in-app phishing" attacks that would allow a hacker to take control over part of a user's screen while they were in the app and use this to phish for login credentials.

Advertisement - Article continues below

The research team worked alongside the affected banks and the National Cyber Security Centre to fix all the discovered vulnerabilities, and all current versions of the applications are now secure. HSBC was first notified in May this year, and subsequently worked to fix the vulnerability, according to a statement to IT Pro.

Dr Flavio Garcia, who also worked on the Spinner tool, said: "Certificate pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification."

Given a general tightening of security in the banking sector following the hack affecting users of the Swift banking messaging service in February last year, hackers are turning to more invisible means of stealing data. For example, a new strain of malware discovered in July by Kaspersky Lab was found targeting users by placing a key-logging tool inside legitimate banking applications that would steal credentials once they were entered.

Ilia Kolochencko, CEO of web security company High-Tech Bridge, said: "As much independent research continuously demonstrates, most of the mobile apps for any platforms are insecure and vulnerable, and have been for many years. This can be explained by a lack of experienced developers, a careless attitude towards mobile application security in many organisations and the relative complexity of practical exploitation of mobile app flaws.

"While many companies do not even consider protecting the mobile backend with a WAF (firewall), believing that it is unnecessary, mobile apps are just the tip of the iceberg."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020

Windows 10 and the tools for agile working

20 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020