'Tens of millions' exposed to hackers by banking app security flaw

Apps on smartphone

Researchers have discovered and patched a critical flaw in some of the most popular mobile banking apps that could potentially leave tens of millions of customers vulnerable to hackers.

A scan of more than 400 iOS and Android mobile apps revealed that products offered by HSBC, Natwest, Co-op, and other leading banks were able to be manipulated into exposing a user's sensitive data.

The study, conducted by the University of Birmingham, found that any hackers connected to the same network as the mobile app, like public WiFi or a corporate network, could perform a so-called 'man in the middle' attack and redirect communications between the provider and customer in order to steal credentials.

It's thought that collectively the affected apps could have left tens of millions of users exposed to a potential hack.

A team from the university has been working on a new automated security tool known as 'Spinner' that's able to detect a lack of certificate hostname verification on security-sensitive applications. A technique called "certificate pinning", which normally improves security, made it more difficult to spot the vulnerability through routine checks.

The flaw was so severe that, if exploited, it would have allowed a hacker to view and modify traffic to and from the application, granting the ability to perform any action that is normally possible on the app.

"In general, the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed," said Dr Tom Chothia, a member of the security and privacy group at the University of Birmingham.

"It's impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network".

Disclosure of the vulnerabilities to the banks were made between mid-2015 and mid-2017, but the researchers delayed publication of their research at the banks' request to minimise impact on customers while the banks fixed or removed their apps.

Vulnerabilities were also found in Santander and Allied Irish Bank mobile apps, including "in-app phishing" attacks that would allow a hacker to take control over part of a user's screen while they were in the app and use this to phish for login credentials.

The research team worked alongside the affected banks and the National Cyber Security Centre to fix all the discovered vulnerabilities, and all current versions of the applications are now secure. HSBC was first notified in May this year, and subsequently worked to fix the vulnerability, according to a statement to IT Pro.

Dr Flavio Garcia, who also worked on the Spinner tool, said: "Certificate pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification."

Given a general tightening of security in the banking sector following the hack affecting users of the Swift banking messaging service in February last year, hackers are turning to more invisible means of stealing data. For example, a new strain of malware discovered in July by Kaspersky Lab was found targeting users by placing a key-logging tool inside legitimate banking applications that would steal credentials once they were entered.

Ilia Kolochencko, CEO of web security company High-Tech Bridge, said: "As much independent research continuously demonstrates, most of the mobile apps for any platforms are insecure and vulnerable, and have been for many years. This can be explained by a lack of experienced developers, a careless attitude towards mobile application security in many organisations and the relative complexity of practical exploitation of mobile app flaws.

"While many companies do not even consider protecting the mobile backend with a WAF (firewall), believing that it is unnecessary, mobile apps are just the tip of the iceberg."

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.