Researchers identify banking app flaw

Mobile app users could start feeling a little more secure in future. A  team fromthe University of Birmingham have developed a tool to perform semi-automated security testing of these apps.

In particular, the tool can identify critical vulnerabilities in banking apps – the researchers identified issues in HSBC, NatWest,  and the Co-op bank apps.

This allowed attackers, connected to the same network as the victims (eg on a public WiFi or corporate), to perform a so-called “Man in the Middle Attack” and retrieve credentials such as usernames and passwords/pin codes.

 Although banks had expended a great deal of effort in maintaining stringent security, a technology called certificate pinning was proving to be vulnerable. The Birmingham tests found that apps from major global banks contained this flaw, which if exploited, could have enabled an attacker to decrypt, view and modify network traffic from users of the app. An attacker with this capability could thereby perform any operation which is normally possible on the app.

This wasn’t the only vulnerability identified. The researchers also found in-app phishing attacks against Santander and Allied Irish bank. These  would have let an attacker take over part of the screen to phish for the victim’s login credentials.  

Fixing the flaw

The researchers worked with the banks involved, and the UK government's National Cyber Security Centre to fix all the vulnerabilities, and the current versions of all the apps affected by this pinning vulnerability are now secure.

The research was carried out by Dr Tom Chothia, Dr Flavio Garcia and PhD candidate Chris McMahon Stone, all members of the Security and Privacy Group at the University of Birmingham

 Dr Tom Chothia said, “In general the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed” he added “It’s impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network”.

 

 

Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does